I created a mock user profile in Django admin in the admin/auth/user
view and assigned the user with all permissions (active, staff status, superuser status). In admin/<app_name>/user I gave the user all authorization permissions. This user was created to test different permissions set for them on the admin panel. I have verified that this user model was created.
In the Django admin panel with the mock user, when I hit view site and enter the home view of the django application, the post request to the home page returns a different user as opposed to the current admin. Why is the HTTP request rendering a different user instead of the admin user? In the following example, my Admin site welcomes the mock user I created (Test), but when I click 'View Site' the user is different from the 'Test' user. I only have 2 users created for the Django app.
Related
I want to create custom admin panel.
In admin panel having two main functionality.
user management
and
token management
I completed all things but I shrugged in token management.
when admin user adding new user so it will generate token.
and users_list view i can see all fields with token.
please suggest me some idea how to do
What i want is to limit access to the django admin login page to only the superuser. Meaning if you are not the superuser, and try to access http://127.0.0.1:8000/admin - you should be redirected to 404 page , something like that.The means or the custom view to perform this authentication is the challenge. Please somebody assist me with a hint on how to do it?
urlpatterns = [
path('admin/', my_custom_function,name="check_if_superuser"),
# when somebody hits this url pattern , he/she should be taken to the
# function above for checking if superuser befor being redirected to
# django admin login page
]
and in my views.py i have the following function that does the authentication
def my_custom_function(request):
if request.user.is_superuser():
#... redirect to django admin login page
else:
# return render(404_page)
yeah something like that.
By default, django admin allows login for superuser or stuff user only. So, it is kind of safe to have a admin login panel. Also, if you want to restrict that login path, I think its best to put a firewall on that particular route. So that only whitelisted IPs can access it. You can use NGINX for this, and configuration should be something like this:
location /admin {
# block one workstation
deny 192.168.1.1;
# allow anyone in 192.168.1.0/24
allow 192.168.1.0/24;
# drop rest of the world
deny all;
}
This article could be helpful with the configuration.
I assume there might be a catch 22 in the described scenario.
To check user rights there should be a logged in user
If you put check only on available users - is_superuser and show 404:
logged in, non super_user will receive 404
not logged in visitor can go to admin page
If you add check whether user is logged in and if not show 404 as well:
no one can login from admin page, unless logged in somewhere else and got to admin afterwards
Both scenarios sound inconsistent to me. I think what you are trying to achieve is intended to be done by Django framework in a slightly different way.
There is has_permission() in AdminSite class in django.contrib.admin.sites which
Return True if the given HttpRequest has permission to view at least one page in the admin site
and by default returns request.user.is_active and request.user.is_staff
If you change it in your admin.py, only active superusers will be able to utilize admin:
from django.contrib import admin
def has_superuser_permission(request):
return request.user.is_active and request.user.is_superuser
# Only active superuser can access root admin site (default)
admin.site.has_permission = has_superuser_permission
And even logged in non-sups will be shown message about insufficient rights and prompted to re-login
I currently use the "Google Accounts API" to allow users to login to my GAE app. So I use users.create_login_url and users.get_current_user and add an ndb.UserProperty to my own user entity so that I can retrieve data for that user.
I'm now in the process of switching to oauth2 (using authomatic).
I don't know how to handle admin users after the switch to oauth2. I currently use users.is_current_user_admin to detect an admin user, but that won't work if the admin logs in with oauth2.
I see two awkward solutions:
Keep using the Google Accounts API for admin users and have regular users login with oauth2.
Store a list of oauth2 credentials for admin users (hardwired in the code or in the datastore) so admin users will be recognized after login with oauth2.
Is there a better way or should I use one of the above, and if so, which one?
I'll describe how I ended up doing it in case it is helpful for others.
Below is my Login handler. If a user goes to "/login" then it displays login buttons. When a user clicks on a button, the page redirects to, e.g., "/login/google" to do OAuth2 processing.
If I want to login as admin, then I manually enter this URL "/login/gae".
class Login(webapp2.RequestHandler):
def get(self, provider=None):
# Show the login page and allow the user to select a provider
if not provider:
template = JINJA_ENVIRONMENT.get_template("login.html")
self.response.write(template.render())
# Only for admin login. Use app engine login.
elif provider == "gae":
self.redirect(users.create_login_url("/"))
# The user has selected a provider so we do oauth2 login.
else:
session = Webapp2Session(self, session=self.session)
result = authomatic.login(Webapp2Adapter(self),
provider,
session=session,
session_saver=session.save)
...
To allow admin to logout, I conditionally put an admin logout on my web pages by creating this template variable:
logout_url = users.create_logout_url("/") if users.is_current_user_admin() else None
and adding this to my page template:
{% if logout_url %}
<li>Admin Logout</li>
{% endif %}
I have a custom admin page:
class StripeAdminSite(admin.AdminSite):
...
pass
I have registered django.contrib.auth.models to this admin site:
stripe_admin_site = StripeAdminSite(name='Stripe')
stripe_admin_site.register(User)
Now User show up in the admin page, it also let me create users (as stuff), but after creation when I try to log in using them to dashboard it does not allow me to do that.
After switching back to default admin site, I got this written in my old users password fields:
Invalid password format or unknown hashing algorithm.
Now what can be done?
More/Extra information: How to bring default add user page at django custom admin page?
The problem is that you did not register the User model with Django's UserAdmin. This means that the password was not hashed properly when the user was created, so they can't log in.
To use Django's UserAdmin, change your code as follows.
stripe_admin_site = StripeAdminSite(name='Stripe')
from django.contrib.auth.admin import UserAdmin
stripe_admin_site.register(User, UserAdmin)
Once you have done this, you will not get this problem for new users that you add in future.
Use the change password link to reset the password for any existing users, and then they should be able to log in.
I have install Django admin & created some active user & group by admin page.
I need to do login form & views, which will check if user is valid or not do task in the basis of permission.
I have tried following steps.(for reference)
Copied admin login.html for testing & paste it foo_project/templates/registration/login.html
Added in urls.py
from django.contrib.auth.views import login
url(r'^login/', login),
Now by running 127.0.0.1:8080/login
When I am entering valid user-name & password its trying to open /accounts/profile/ & it's not found in urls.py. And if I am entering invalid username or password its doing nothing.
So I simple need to link a page if login successful(user created by admin) & check which type of permission & group he is.Admin created auth_user table in my db.sqlite3
I am new to Django & using version 1.6.
I read document & tried built-in login() in views.py. Got unsuccess.
Is there any built-in for above need. Please describe in depth if possible.
In settings.py create this entry:
LOGIN_REDIRECT_URL = "your_redirect_url"
The user will be redirected to this page after login. Then on the url you will create which will respond to "your_redirect_url" (and should be defined somewhere in your urls.py), you can check the permissions, or groups. For more help about checking permissions, groups, you can find it here.
The login_required decorator can be really useful on implementing your view for your "redirect_url", because you don't want anonymous users accessing to this part of the site, right?