Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I restrict access to admin pages in Django?

Tags:

python

django

django-admin

I need the Django admin interface to be accessible only for superusers and staff when in productions and show a 404 of all other types of users including when not logged in. Is this possible and how?

like image 445
ip. Avatar asked Jul 03 '14 17:07

ip.

2 Answers

I ended up writing a middleware for it:

from django.core.urlresolvers import reverse
from django.http import Http404

class RestrictStaffToAdminMiddleware(object):
    """
    A middleware that restricts staff members access to administration panels.
    """
    def process_request(self, request):
        if request.path.startswith(reverse('admin:index')):
            if request.user.is_authenticated():
                if not request.user.is_staff:
                    raise Http404
            else:
                raise Http404
like image 116
ip. Avatar answered Oct 25 '22 10:10

ip.

Overwrite the admin_view part of the AdminSite class before using it in the urls.

In admin.py file (create it if you don't have it) add:

from functools import update_wrapper

from django.http import Http404
from django.views.decorators.cache import never_cache
from django.views.decorators.csrf import csrf_protect


def admin_view(view, cacheable=False):
    """
    Overwrite the default admin view to return 404 for not logged in users.
    """
    def inner(request, *args, **kwargs):
        if not request.user.is_active and not request.user.is_staff:
            raise Http404()
        return view(request, *args, **kwargs)

    if not cacheable:
        inner = never_cache(inner)

    # We add csrf_protect here so this function can be used as a utility
    # function for any view, without having to repeat 'csrf_protect'.
    if not getattr(view, 'csrf_exempt', False):
        inner = csrf_protect(inner)

    return update_wrapper(inner, view)

and then in your urls file add:

from django.conf.urls import patterns, include, url
from django.contrib import admin
from django.views.defaults import page_not_found

from my_project.admin import admin_view
admin.site.admin_view = admin_view

urlpatterns = patterns('',
    url(r'^admin/login/', page_not_found),
    url(r'^admin/', include(admin.site.urls)),
)

Of course if you still want the login to be found then remove the url(r'^admin/login/', page_not_found) line.

like image 5
Christoffer Avatar answered Oct 25 '22 09:10

Christoffer
Sign in to Comment

Related questions

How to get IP address of hostname inside jinja template
How to connect to remote server with paramiko without a password?
Ignore a specific test using Django [duplicate]
How to find and count emoticons in a string using python?
PyQt5: How can I connect a QPushButton to a slot?
How to know if a paramiko SSH channel is disconnected?
Python: is "except KeyError" faster than "if key in dict"?
Override JSONSerializer on django rest framework
Flask SQLAlchemy filter records from foreign key relationship
Default fonts in Seaborn statistical data visualization in iPython
Is there a python strip function equivalent in javascript?
Cannot create virtualenv instance in python 2.7.5 because of pip installation error
Converting from RGB to LAB Colorspace - any insight into the range of L*A*B* values?
Extract data from JSON API using Python [duplicate]
Python/Java script to download all .pdf files from a website
Python - Sentiment Analysis using Pointwise Mutual Information
Convert integer to binary array with suitable padding
How do I find the intersection of two line segments?
How to use glob to read limited set of files with numeric names?
ValueError resizing an ndarray

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!