Exposing django admin to users. Harmful?

Question

I am working on a Django somewhat e-commerce project, where, briefly, I have both a Customer and a Merchant model. The Merchant model is associated with a MerchantStore model which is somehow "complicated", having a plethora of m2m and foreign key relationships to various models.

Following the solution in this post and having not enough "time" to make a custom implementation, I decided to let each Merchant be a "stuff member" and customize his store through the admin interface. Of cource I created a new group with the appropriate permissions.

However, some questions arise:

1) Is this considered harmful? Are there any security threats associated?

2) Isn't this the best way to do it if you have not enough time anyway?

Answer 1

Yes, this is considered "harmful", mostly due to the design considerations of the Django developers. The admin revolves around a concept of "trusted users". In other words, if someone is a staff member (thereby having access to the admin), they presumably have enough of your trust to not be worried about security breaches. Now in truth, you could block them from portions they're not supposed to mess with (as you've done), but the point is that Django makes no guarantees in this area. You probably won't have any problems, in all actuality, but you could.

Ironically, I think I've spent more time in my life customizing the Django admin than it would have taken me to build it from scratch. Funny how that goes. Regardless, I'd liken it to using scaffolding in Ruby on Rails. It's a quick way to get something live, but the goal is to replace it as soon as possible.

Answer 2

No, I would not consider this harmful.

The "Zen of Admin" as described in Apress's djangobook seemed to imply an assumption of trust as part of the admin's "philosophy", and paired with the often-repeated "admin is not your app" advice, I too was scared at first and think the Django documentation could point out intended, viable use cases.

Please see my almost identical question Django AdminSite/ModelAdmin for end users?

From Jordan's answer (who I gave the bounty):

There is nothing inherently special about admin. It behaves just like any other view. So if it is using permissions to determine access (for example, if you set a user's .is_staff to True but give them access only to specific permissions) then it will be equally secure to any view you might create that uses permissions to determine access.

...

The people who wrote django.contrib.admin did not write it with the assumption that anyone with an is_staff = True could be trusted as much as a superuser, or was stupid enough to never take a look at the source code of a web page. Although writing your own views is encouraged, it is still a robust interface.

Also note Django's relatively recent security update http://www.djangoproject.com/weblog/2010/dec/22/security/ regarding querystring parameters in object lists.

Such an update (quote: "an attacker with access to the admin [...]") is a clear indication that the admin's implementation of the permission system is being constantly scrutinized.