stackoom
  简体   繁体   中英

Django admin.site.urls only accessible to superuser (The admin login page only accessible to superuser)

 原文  2019-01-08 08:36:40       python/ django/ django-templates

Question

What i want is to limit access to the django admin login page to only the superuser. Meaning if you are not the superuser, and try to access http://127.0.0.1:8000/admin - you should be redirected to 404 page , something like that.The means or the custom view to perform this authentication is the challenge. Please somebody assist me with a hint on how to do it?

  urlpatterns = [
     path('admin/', my_custom_function,name="check_if_superuser"),


     # when somebody hits this url pattern , he/she should be taken to the 
     # function above for checking if superuser befor being redirected to 
     # django admin login page
 ]

and in my views.py i have the following function that does the authentication

    def  my_custom_function(request):
         if request.user.is_superuser():
            #... redirect to django admin login page

         else:
             # return render(404_page)

yeah something like that.

2 answers

solution1
 2  2019-01-08 08:49:12

By default, django admin allows login for superuser or stuff user only. So, it is kind of safe to have a admin login panel. Also, if you want to restrict that login path, I think its best to put a firewall on that particular route. So that only whitelisted IPs can access it. You can use NGINX for this, and configuration should be something like this:

location /admin {
  # block one workstation
  deny    192.168.1.1;
  # allow anyone in 192.168.1.0/24
  allow   192.168.1.0/24;
  # drop rest of the world 
  deny    all;
}

This article could be helpful with the configuration.

solution2
 1  2021-01-29 13:26:25

I assume there might be a catch 22 in the described scenario.

  1. To check user rights there should be a logged in user
  2. If you put check only on available users - is_superuser and show 404:
  • logged in, non super_user will receive 404
  • not logged in visitor can go to admin page
  1. If you add check whether user is logged in and if not show 404 as well:
  • no one can login from admin page, unless logged in somewhere else and got to admin afterwards

Both scenarios sound inconsistent to me. I think what you are trying to achieve is intended to be done by Django framework in a slightly different way.

There is has_permission() in AdminSite class in django.contrib.admin.sites which

Return True if the given HttpRequest has permission to view at least one page in the admin site

and by default returns request.user.is_active and request.user.is_staff If you change it in your admin.py, only active superusers will be able to utilize admin:

from django.contrib import admin

def has_superuser_permission(request):
    return request.user.is_active and request.user.is_superuser

# Only active superuser can access root admin site (default)
admin.site.has_permission = has_superuser_permission

And even logged in non-sups will be shown message about insufficient rights and prompted to re-login

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Django login not working. Only works for superuser/admin Django can't login the superuser in admin page Django admin login not working for superuser How do I make Django admin URLs accessible to localhost only? Django DRF login only superuser Django Admin site with different Superuser permissions and roles Cannot login to Django admin with custom superuser Unable to login to Django admin with Custom superuser django: admin notifications,display if superuser Unable to login as superuser in Django admin (Django Girls Tutorial)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM