I want to use the Django user model, but I want to keep the super user to administrate the site. I want the other users to be unable to access the admin interface. But I want them to be able to access another custom admin page that deals with uploaded files. I've read a lot of documentation regarding customizing the user model and the admin pages, but I'm having trouble figuring out how to accomplish such a task.
I see that I can subclass the AdminSite that is used for the admin page and make my own, but that runs into problems with is_staff and such.
My idea was to create a custom permission and extend the user model to have it, this permission would allow access to the admin page. But I'm still unsure how to create the admin page with the method I mentioned and avoid the problems of still allowing them access to the regular admin page.
What would be the best method to accomplish this? How could I create an admin page like this and such a permission and then assign it to an extended User as well as prevent them access to the normal admin page?
I am familiar with the decorator #user_passes_test() to check for groups, but what I am concerned with is making sure they can't get into anything but the "lesser" admin panel. Basically I don't want these users to be able to access anything but their own admin dashboard.
Any examples or suggestions would be most welcome, I need advice on creating the admin page for these normal users, how to create these normal users, and how to ensure that they can access the "lesser" admin page but not the normal django admin that has control over everything.
As a side question, if I was using django-suit to customize my normal admin page, would this change anything?
Thanks
If I understood correctly:
in your views.py
from django.contrib.auth.decorators import permission_required
adn over your def:
#permission_required('is_superuser')
this page will only see is_superuser.
Related
I am a total noob with Django, I come from the PHP world and I am used to doing things differently.
I'm building an app and I want to change the way the backend looks, I want to use Bootstrap 4 and add a lot of custom stuff e.g. permission based admin views, and I was wondering what is the best practice, or how do more experienced django devs go about it?
Do they override all the django.contrib.admin templates, or do they build custom templates and login/register next to it, and use the django.contrib.admin only for the superuser?
What is the django way?
Django admin is intended for administration purposes. For all intents and purposes it is a direct interface to your database. While I have seen some people building customer facing interfaces using admin, this is most definitely not the way to make a general Django web application.
You should define views for your models. You can use built-in APIs to login and authenticate users. You should most likely restrict access to admin to internal users only.
As for templates, the modern way of doing things is to dynamically fetch data using an API and do all the UI logic in Javascript. Django can be used very well to provide an API to a frontend. Look into Django REST Framework. The basic idea is to write serializers for your models and have view functions serve the serialized data to the front end.
You could go the old school way and render your pages using templates of course. In that case your views would render templates using data provided by your models.
Yes. The admin pages is actually for administering the webpage. For user login and registration you create the templates. However, if you want your backend to look different then you can tweak the template for the admin page, admin login page as well. And you can also have permission based admin views. It's okay to over ride the defaults as long as you know what you're doing. Hope that helped.
I am new to django and have gotten a bit stuck on trying to make the admin site work as I'd like it to. I am wondering if for making the admin functionality I want it is better to make a custom admin app with a template inheriting from admin/base_site.html, using the frontend login with a redirect when is_staff is true.
The initial details that make me think this:
I have a chain of foreignkeys and would like to display nested inlines on the parent admin page. I have tried using easymode, but it's got its own issues and requirements that may cause headaches later i can do without.
I would like to add a function allowing the admin to add an instance of a model, which triggers the creation of instances its related models and redirects etc. This requires adding some callables at least, which I havent figured out yet how to really do with any success in the admin model, and at the moment seems easier to just quickly do this in the views.py of my own app rather than trying to toy with the admin views.
In general, creating a custom admin app (using a is_staff=true redirect on the FrontEnd login) seems more flexible in the long run, and will result in a more designed and intuitive admin interface for the client - so I suppose my question is, what are the semi-pros doing? (if you know how to hack the admin views and templates to your heart's content you are not a semi-pro :) )
Thanks for any advice you can offer, Im still getting my feet wet and this kind of advice could save me alot of time and headache.
Slow down. Relax. Follow the Django philosophy.
You have an "app". It presents data. Focus on presentation.
You have a default, built-in admin for your "app". It updates data and it's already there.
If the admin app doesn't meet your needs update Forms and update Models to get close. But don't strain yourself messing with admin. Get as close as you can. But relax about it.
[Also, "more intuitive admin" is sometimes not an accurate description of what you're trying to do. It could be, but I've seen some "more intuitive" that actually wasn't.]
a more designed and intuitive admin interface for the client.
Is this part of the app? Does the app do more than simply present data?
If the app is transactional -- add, change, delete -- crud rules -- that kind of thing, then that's your app. If you want a fancy UI, that's not admin any more. There's no redirect. That's your app.
It's just coding. Stop messing with admin and start writing your app.
Hint: Use generic views as much as possible.
Other than that, you're talking about your app, not hacking the admin stuff that already works.
if you know how to hack the admin views and templates to your heart's content you are not a semi-pro
Wrong. All the source is there. You can read it, also. That's what the pros do. We read the source. And we don't hack the admin app.
If you have complex transactions, you have a first-class, for-real, actual application. Not default admin, but a part of your app that has forms.
If you have forms, then, well, you have forms. This does not require hacking the admin app, it's just coding more of your app.
Go through the links mentioned in this post as well. This may be helpful for you.
Is Django admin difficult to customize?
I am quite new to Django, so it may be a stupid question, but, nevertheless:
I need Django admin part to edit contents on the site, and also I want to have authentification, that will allow registred users to leave comments.
I have the following idea of implementation it: have 2 different tables(admins and other registred users) and use the /admin url to login in admin area and /login to login other users for leaving comments, etc.
Is this nice scheme? Or should I use the same url for all users, that will redirect admins to admin area?? What is the most simple way to implement this?
Examples of nice Django code are highly appreciated.
Thanks!
"have 2 different tables(admins and other registred users)"
Bad idea. Django auth module has one user table. You can easily assign users to groups. Some groups have admin access to anything. Other groups can only leave comments. Read up on the auth module before you do anything more.
http://docs.djangoproject.com/en/dev/topics/auth/
"use the /admin url to login in admin area and /login to login other users for leaving comments, etc."
That's fine. Turns out, both with use the same authentication mechanism. Read this: http://docs.djangoproject.com/en/dev/topics/auth/#the-login-required-decorator
All view functions will use decorators to determine who's allowed to perform those functions.
I've recently started learning/using django; I'm trying to figure out a way to have two separate authentications systems for administrators and users. Rather than create a whole new auth system, I'd like to leverage django's built-in functionality (i.e. session management, #login_required decorator, etc.).
Specifically, I want to have two separate login tables - one for admins, one for users. The admin login table should be the default table that django generates with its default fields (ie. id, username, email, is_staff, etc.). The user table, on the other hand, I want to have only 5 fields - id, email, password, first_name, last_name. Furthermore, I want to use django built-in session management for both login tables and the #login_required decorator for their respective views. Lastly, I want two separate and distinct login forms for admins and users.
Anyone have any suggestions on how I can achieve my goal or know of any articles/examples that could help me along?
If I understand your question correctly (and perhaps I don't), I think you're asking how to create a separate login form for non-admin users, while still using the standard Django authentication mechanisms, User model, etc. This is supported natively by Django through views in django.contrib.auth.views.
You want to start with django.contrib.auth.views.login. Add a line to your urlconf like so:
(r'^/login/$', 'django.contrib.auth.views.login', {'template_name': 'myapp/login.html'})
The login generic view accepts the template_name parameter, which is the path to your custom login template (there is a generic one you can use as well, provided by django.contrib.auth).
Full documentation on the login, logout, password_change, and other generic views are available in the Django Authentication Docs.
You could potentially write one or more custom authentication backends. This is documented here. I have written a custom backend to authenticate against an LDAP server, for example.
Modify things slightly so that users have a category prefix on their username? You haven't given us much info on what you want to do, it's possible that your needs might be met by using the sites framework, or simply two separate django installs.
If what you're trying to do is make the user login page and the admin login page separate, just use the built in framework as detailed in the docs to create a "user" login page and leave the admin one alone. If you're worried that users will somehow start editing admin login stuff, don't be, they won't unless you let them.
I have made a custom formwizard and incorporated it into my admin interface.
Basically I have taken the change_form.html and left it under the admin interface url:
(r'^admin/compilation/evaluation/add/$', EvaluationWizard([EvaluationForm1, EvaluationForm2])),
It works, but the admin "session" is not kept. I can access the page without being logged in to the admin interface, and the admin variables like the breadcrumbs are not working.
How do I incorporate it under the "admin interface session" so to speak?
Thanks,
John
If you need to make sure only authorised users access the page, you need to check for an admin user in your request handler. This will be the __call__ method in your EvaluationWizard class.
Basically, the logic used by the admin is available for viewing here. Look for this in the AdminSite class:
if not self.has_permission(request):
return self.login(request)
and use similar logic, or whatever you need. You'll need a similar statement at the top of your __call__ method. The has_permission method of AdminSite is a one-liner, which you can use as-is, but you'll need to adapt the login method to your specific needs.