6👍
✅
For some reason you’re using the password field stored in the database, via request.user, rather than then one they’ve actually entered in the form. The database version is hashed, and when you call authenticate it hashes it again, so fails to match.
You should be using the value the user enters in the form:
username = request.user.username
password = form.cleaned_data['oldpassword']
user = authenticate(username=username, password=password)
Source:stackexchange.com