With Django Hijack, admins can log in and work on behalf of other users without having to know their credentials.

Overview

Django Hijack

CI codecov PyPI

Screenshot of the notification seen while hijacking another user.

With Django Hijack, admins can log in and work on behalf of other users without having to know their credentials.

Docs

3.x docs are available in the docs folder. This version provides a security first design, easy integration, customisation, out-of-the-box Django admin support and dark-mode. It is a complete rewrite and all former APIs are broken.

2.x docs are available on Read the Docs http://django-hijack.readthedocs.org/en/stable/.

Testimonials

I am using django-hijack on a project with hundreds of users, wonderful tool for support. Thank you!

-- benzinonapoloni on reddit

This is a super useful tool. I have a site where I occasionally impersonating users to help troubleshoot their issues. This is a huge time saver.

-- orangishyellow on reddit

... one of our standard apps to install now.

-- thundersnow on reddit

Love django-hijack

-- bmihelac on Twitter

Donations

django-hijack is free software. If you find it useful and would like to give back, please consider to make a donation using Bitcoin or PayPal. Thank you!
Comments
  • Maintainership

    Maintainership

    Hi @philippeowagner,

    Let me start by expressing my gratitude towards the hours you and other contributors have sunk into this project. With that in mind, it would be sad to see this library fade away. Looking that the current state of the repository, it might be time to consider putting this project under new maintainership, to fuel the project with new enthusiasm.

    Since you are a @jazzband member yourself, that would certainly be an option. If you prefer a corporate or individual maintainer, that could also be arranged.

    Maybe you find the time to share your thoughts.

    Best, Joe

    opened by codingjoe 16
  • skip hijack if request or request.session is None

    skip hijack if request or request.session is None

    Bumped into a case where request is None when trying to show a render a template error message after an uncaught exception elsewhere in the application, resulting in another exception in hijack_tags.py. The changes in this pull request handle this by checking for request==None and request.session==None before trying to get the session attributes.

    opened by khpeterson 16
  • Hijack session variables are not available until after hijack is fully completed

    Hijack session variables are not available until after hijack is fully completed

    I am using the builtin django auth signal user_logged_in to record when user logins and store metadata about their login. However, I do not want to keep track of hijacked logins. This presents an issue because at the point a user is logged in via hijack https://github.com/arteria/django-hijack/blob/master/hijack/helpers.py#L110, the session variables are not set, which does make sense since you wouldn't want to set session variables before a login completely succeeds.

    Perhaps, there could be some other session variable set at the beginning of the login_user method that would give an indication that the user's login is being handled from django-hijack.

    opened by alex-kaufman 11
  • A lot of work with django-hijack

    A lot of work with django-hijack

    @philippeowagner We should probably discuss the changes outside of Github. I wrote you in KeyBase. My package on test.pypi https://test.pypi.org/project/django-hijack/

    === (3.0.0) ===

    • Drop support for python<3.5
    • Drop support for Django<2.2
    • Big code refactoring
    • CI improvements, automatically pypi deploy
    • Added wheel for pypi build
    opened by Mogost 10
  • Django-jinja2 integration

    Django-jinja2 integration

    Hello! Thanks for making hijack. Been using it on my site, but we just switched most of our main pages to using django-jinja for template rendering and thought that you might like to have in the system the code we needed to use to get the tag to work.

    Writing a Jinja2 extension is very difficult, and there were no documented examples I could find of how to write an extension that required the request object, so I implemented it as a filter on the request object. So in place of {% hijack_notification %} I used {{ request|hijack_filter }} and then made an entry in jinja_filters.py like so:

    import django
    from django.template.loader import render_to_string
    from django.utils.safestring import mark_safe
    from django_jinja import library 
    from hijack import settings as hijack_settings
    
    @library.filter
    def hijack_filter(request):
        if hijack_settings.HIJACK_USE_BOOTSTRAP: 
            template_name = 'hijack/notifications_bootstrap.html'
        else:
            template_name = 'hijack/notifications.html'
        ans = ''
        if request is not None and all([
            hijack_settings.HIJACK_DISPLAY_WARNING,
            request.session.get('is_hijacked_user', False),
            request.session.get('display_hijack_warning', False),
        ]):
            if django.VERSION < (1, 8):
                from django.template import RequestContext
                ans = render_to_string(template_name, context_instance=RequestContext(request))
            else:
                ans = render_to_string(template_name, request=request)
        return mark_safe(ans)
    

    in config.settings in the TEMPLATES setting for django_jinja.backend.Jinja2 under OPTIONS add a dict:

    "filters": {
                    "hijack_filter": 'myapp.utilities.jinja_filters.hijack_filter',
               },
    

    Hope that this is helpful to others or can become a part of the default hijack installation.

    waiting for feedback 
    opened by mscuthbert 10
  • Add support for non-integer primary key user models

    Add support for non-integer primary key user models

    Simplify URL and view structure. Add support for multiple PK types based on URL pattern as well as natural key support via URL patterns.

    Changes:

    • Deprecate HIJACK_URL_ALLOWED_ATTRIBUTES setting favoring HIJACK_USER_URL_PATTERN.
    • Deprecate URL names login_with_id, login_with_username and login_with_email favoring acquire.
    • Deprecate URL name release_hijack favoring release.
    • Deprecate views login_with_id, login_with_username and login_with_email favoring release_user_view.
    • Deprecate view release_hijack favoring release_user_view.

    Close #196 Close #183 Close #184 Close #198 Close #147 Close #175

    opened by codingjoe 9
  • The authentication was broken

    The authentication was broken

    After installing the module on the site. Began to notice that some users see some pages of other users. How to fix this? Django: 2.0.1 Python 3.6.4 django-hijack: 2.1.6 django-hijack-admin: 2.1.6

    waiting for feedback 
    opened by GitBib 9
  • HTML should not be parsed with regex

    HTML should not be parsed with regex

    The middleware's process_response method uses regex to parse the HTML response and inject content.

    This is easily broken, leading to the content being injected in the wrong place or not at all.

    I will open a PR with unit tests showing this.

    See this stackoverflow post as to why parsing HTML with regex is a bad idea.

    opened by LincolnPuzey 8
  • Complete rewrite with a focus on security

    Complete rewrite with a focus on security

    The old design was based on a lot of untested behavior that has since been included in Django itself, including proper testing and security oversight.

    This refactoring uses those new tools and aims to greatly simplify the overall design. This simplification should keep potential exposior to a minimum.

    As a result almost all settings have been dropped, infavor of a simple permission callback and a notification template. Both can be overriden in a users application to customize behavior as need.

    The documenation is completly rewritten too. It may server as a good starting point to understand this change.

    Changes in a nutshell:

    • Add Material style snackback notification
    • Use permission callbacks instead of settings
    • Provide permission callback for convenience
    • Render and inject notification via middleware
    • Use Django class based views and mixins for permission handling
    • Update the documentation to reflect new design
    • Compile gettext messages during release
    • Switch to SCSS and compile during release
    • Add msgcheck linter for translations
    • Add styleling as a SCSS linter
    • Update translations
    opened by codingjoe 8
  • fix: user_id isn't always an int

    fix: user_id isn't always an int

    I'm not sure what casting the user_id as an int is meant to accomplish in views.py, but on one of my projects the user_id is not always an integer and I noticed I was unable to hijack these users.

    Removing lines 16-20 fixes my issue and doesn't appear to have adverse effects. It would also address these issues https://github.com/arteria/django-hijack/issues/183 and https://github.com/arteria/django-hijack/issues/196.

    opened by HappyTepid 8
  • Usage documentation should have working code

    Usage documentation should have working code

    The form markup provided in the documentation doesn't work [1], working code is in the test project [2] though when modified.

    [1] https://django-hijack.readthedocs.io/en/stable/#usage [2]: https://github.com/django-hijack/django-hijack/blob/master/hijack/tests/test_app/templates/user_list.html

    opened by nkuttler 7
  • KeyError: 'CSRF_COOKIE'

    KeyError: 'CSRF_COOKIE'

    Greetings!

    We have a pretty standard django-hijack setup and most of the times it just works. However, we are noticing in Sentry a flaky hijjack issue:

    KeyError: 'CSRF_COOKIE'
      File "django/core/handlers/exception.py", line 55, in inner
        response = get_response(request)
      File "django/utils/deprecation.py", line 136, in __call__
        response = self.process_response(request, response)
      File "hijack/middleware.py", line 47, in process_response
        {"request": request, "csrf_token": request.META["CSRF_COOKIE"]},
    

    So, the library is trying to access CSRF cookie from request.META, but it is not available in the given <WSGIRequest: GET '/'> instance.

    hijack.middleware.HijackUserMiddleware is placed after the CSRF one:

    MIDDLEWARE = [
        "django.middleware.security.SecurityMiddleware",
        "django.contrib.sessions.middleware.SessionMiddleware",
        "django.middleware.csrf.CsrfViewMiddleware",
        "django.contrib.auth.middleware.AuthenticationMiddleware",
        ...
        "hijack.middleware.HijackUserMiddleware",
    ]
    

    Sadly, I am still not able to reproduce it. I only can suspect that in certain pages when we are redirecting after hijacking there is no CSRF token set from template. Do you have any ideas on this, maybe hints?

    I am happy to prepare a patch here or will wait for your solution.

    Best, Rust

    bug 
    opened by amureki 1
  • Feature proposal: hijack expiration

    Feature proposal: hijack expiration

    My org is using django-hijack to allow staff to masquerade as users. We've noticed that our staff users sometimes forget to release the hijack when they're done, and there's been a request to automatically release the hijack after a set time has elapsed. Reviewing the documentation, I see no provision for such a feature.

    More precisely, I'd like to add a setting HIJACK_TIMEOUT_SECONDS, defaulting to None. If the setting has a non-null value, that value is the number of seconds from start of hijack before automatic release of the user. Typical value expected to be on the order of six hours.

    Is this a feature that the django-hijack maintainers would be interested in seeing? If so, we'd be happy to make the changes as a modification of django-hijack and offer up a pull request.


    Please click 👍 if you'd like to see this feature implemented

    enhancement 
    opened by jonkiparsky 2
  • HIJACK_LOGOUT_REDIRECT_URL not working

    HIJACK_LOGOUT_REDIRECT_URL not working

    django-hijack v3.0.0 django-hijack-admin v2.1.10

    I'm using the Django admin integration app so I can hijack users from the admin interface.

    When I release a user, Django reloads the last hijacked page instead of loading what I set in my settings:

    HIJACK_LOGOUT_REDIRECT_URL = '/django-admin/auth/user/'
    

    In fact, if I don't set HIJACK_LOGOUT_REDIRECT_URL, the default behavior (loading LOGIN_REDIRECT_URL) doesn't work neither.

    docs 
    opened by fidelleon 3
Releases(3.2.6)
  • 3.2.6(Dec 27, 2022)

    What's Changed

    • Fix #520 -- Add support for custom managers on user model by @simonkern and @codingjoe in https://github.com/django-hijack/django-hijack/pull/521

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.2.5...3.2.6

    Source code(tar.gz)
    Source code(zip)
  • 3.2.5(Nov 29, 2022)

    What's Changed

    • Fix #367 -- Add fallback if LOGOUT_REDIRECT_URL is None by @codingjoe in https://github.com/django-hijack/django-hijack/pull/383
    • Do not access the session unless needed by @codingjoe in https://github.com/django-hijack/django-hijack/pull/509

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.2.4...3.2.5

    Source code(tar.gz)
    Source code(zip)
  • 3.2.4(Nov 14, 2022)

    What's Changed

    • Hotfix -- Wheel is missing minified static files by @codingjoe in https://github.com/django-hijack/django-hijack/pull/507
    • Add CodeQL to CI suite by @codingjoe in https://github.com/django-hijack/django-hijack/pull/506

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.2.3...3.2.4

    Source code(tar.gz)
    Source code(zip)
  • 3.2.3(Nov 14, 2022)

    What's Changed

    • docs: update documentation link and version info by @gdvalderrama in https://github.com/django-hijack/django-hijack/pull/489
    • docs: explain how to customize admin hijack button by @gdvalderrama in https://github.com/django-hijack/django-hijack/pull/497
    • Resolve #504 -- Use a RequestContext to render templates by @codingjoe in https://github.com/django-hijack/django-hijack/pull/505

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.2.2...3.2.3

    Source code(tar.gz)
    Source code(zip)
  • 3.2.2(Sep 11, 2022)

    What's Changed

    • docs: fix security typo by @max-wittig in https://github.com/django-hijack/django-hijack/pull/463
    • docs: fix simple typo, recommened -> recommended by @timgates42 in https://github.com/django-hijack/django-hijack/pull/476
    • Fix CI suite version issues by @codingjoe in https://github.com/django-hijack/django-hijack/pull/486
    • Add Django 4.1 support by @codingjoe in https://github.com/django-hijack/django-hijack/pull/481

    New Contributors

    • @max-wittig made their first contribution in https://github.com/django-hijack/django-hijack/pull/463
    • @timgates42 made their first contribution in https://github.com/django-hijack/django-hijack/pull/476

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.2.1...3.2.2

    Source code(tar.gz)
    Source code(zip)
  • 3.2.1(May 18, 2022)

    What's Changed

    • Fix typos and spacing by @SableWalnut in https://github.com/django-hijack/django-hijack/pull/434
    • L10n causes error on user PKs > 999 by @dryan in https://github.com/django-hijack/django-hijack/pull/446

    New Contributors

    • @SableWalnut made their first contribution in https://github.com/django-hijack/django-hijack/pull/434
    • @dryan made their first contribution in https://github.com/django-hijack/django-hijack/pull/446

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.2.0...3.2.1

    Source code(tar.gz)
    Source code(zip)
  • 3.2.0(Mar 31, 2022)

    What's Changed

    • Fix typo by @sondrelg in https://github.com/django-hijack/django-hijack/pull/412
    • Fix #423 -- Add webpack to build css from scss by @codingjoe in https://github.com/django-hijack/django-hijack/pull/429
    • Drop EOL Python and Django versions from CI pipeline by @codingjoe in https://github.com/django-hijack/django-hijack/pull/429

    New Contributors

    • @sondrelg made their first contribution in https://github.com/django-hijack/django-hijack/pull/412

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.1.6...3.2.0

    Source code(tar.gz)
    Source code(zip)
  • 3.1.6(Feb 22, 2022)

    What's Changed

    • Ignore hijacking logic in response processing in case of empty session by @amureki in https://github.com/django-hijack/django-hijack/pull/408

    New Contributors

    • @amureki made their first contribution in https://github.com/django-hijack/django-hijack/pull/408

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.1.5...3.1.6

    Source code(tar.gz)
    Source code(zip)
  • 3.1.5(Feb 21, 2022)

    What's Changed

    • Update package lock to version 2 by @codingjoe in https://github.com/django-hijack/django-hijack/pull/382
    • Fix mkdocs build and add CI job by @codingjoe in https://github.com/django-hijack/django-hijack/pull/398
    • Move funding links GitHub sponsorships by @codingjoe in https://github.com/django-hijack/django-hijack/pull/220
    • Do not touch empty sessions to avoid vary on cookie header by @codingjoe in https://github.com/django-hijack/django-hijack/pull/407

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.1.4...3.1.5

    Source code(tar.gz)
    Source code(zip)
  • 3.1.4(Dec 6, 2021)

    What's Changed

    • Add support for custom user hijack admins by @codingjoe in https://github.com/django-hijack/django-hijack/pull/380

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.1.3...3.1.4

    Source code(tar.gz)
    Source code(zip)
  • 3.1.3(Nov 23, 2021)

    What's Changed

    • Bump isort from 5.9.3 to 5.10.0 by @dependabot in https://github.com/django-hijack/django-hijack/pull/361
    • Bump isort from 5.10.0 to 5.10.1 by @dependabot in https://github.com/django-hijack/django-hijack/pull/362
    • Bump bandit from 1.7.0 to 1.7.1 by @dependabot in https://github.com/django-hijack/django-hijack/pull/364
    • Bump actions/setup-python from 2.2.2 to 2.3.0 by @dependabot in https://github.com/django-hijack/django-hijack/pull/366
    • Bump black from 21.10b0 to 21.11b1 by @dependabot in https://github.com/django-hijack/django-hijack/pull/368
    • Fix #369 -- Do not allow inactive users to be hijacked by @codingjoe in https://github.com/django-hijack/django-hijack/pull/370

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.1.2...3.1.3

    Source code(tar.gz)
    Source code(zip)
  • 3.1.2(Nov 3, 2021)

  • 3.1.1(Oct 19, 2021)

  • 3.1.0(Oct 18, 2021)

  • 3.0.4(Oct 1, 2021)

  • 3.0.3(Sep 23, 2021)

  • 3.0.2(Sep 17, 2021)

  • 3.0.1(Sep 16, 2021)

  • 3.0.0(Aug 3, 2021)

  • 3.0rc4(Jul 3, 2021)

  • 3.0rc3(Mar 26, 2021)

    • Fix #250 -- Fix pattern based LOGOUT_REDIRECT_URL
    • Make admin success URL configurable
    • Move short_description into get_changelist_instance (#254)
    Source code(tar.gz)
    Source code(zip)
  • 3.0rc2(Mar 20, 2021)

  • 3.0rc1(Mar 20, 2021)

    BREAKING CHANGES

    This is a complete rewrite of the django-hijack package. All former APIs are broken.

    How to Upgrade

    Please remove your current integration and follow the setup instructions. This also includes removing the unmaintained django-hiack-admin package, which is no longer needed.

    Notable improvements

    • security first design
    • Django admin support was merged into this package
    • easy integration
    • custom user model support
    • customizable design
    • automatic dark-mode theme
    Source code(tar.gz)
    Source code(zip)
  • 2.3.0(Feb 18, 2021)

    • Simplify URL and view structure. Add support for multiple PK types based on URL pattern as well as natural key support via URL patterns.
    • Remove django-compat dependency.
    • Drop special case handling for unsupported Python/Django versions.
    • Deprecate HIJACK_URL_ALLOWED_ATTRIBUTES setting favoring HIJACK_USER_URL_PATTERN.
    • Deprecate URL names login_with_id, login_with_username and login_with_email favoring acquire.
    • Deprecate URL name release_hijack favoring release.
    • Deprecate views login_with_id, login_with_username and login_with_email favoring release_user_view.
    • Deprecate view release_hijack favoring release_user_view.
    • Reformat code and imports (black/isort).
    • Remove old change log file from repo and distributions.
    Source code(tar.gz)
    Source code(zip)
  • 2.2.1(Jan 31, 2021)

  • 2.2.0(Jan 30, 2021)

    • Update CI suite to run against all supported Django and Python versions
    • Resolve Django 4.0 deprecation warnings
    • Clean up packaging and binary and source distributions
    Source code(tar.gz)
    Source code(zip)
  • v2.1.10(Aug 7, 2018)

  • v2.1.7(Feb 16, 2018)

    • Add Danish translations
    • add conditional to use is_authenticated property when django >= 1.10
    • use django MiddlewareMixin to support new style Middleware
    • added tests for HijackRemoteUserMiddleware
    Source code(tar.gz)
    Source code(zip)
  • v2.1.6(Dec 22, 2017)

  • v2.1.5(Dec 5, 2017)

    • added Django 2.0 Support (#149)
    • Remove deprecated signals from version 1 (#115)
    • mini-css-fix: avoid content to be hidden by the fixed notification warning (#125)
    • Spaces mustn't be contained in email (#148)
    Source code(tar.gz)
    Source code(zip)
Django app that enables staff to log in as other users using their own credentials.

Impostor Impostor is a Django application which allows staff members to login as a different user by using their own username and password. Login Logg

Andreu Vallbona Plazas 144 Dec 13, 2022
WebVirtCloud is virtualization web interface for admins and users

WebVirtCloud is a virtualization web interface for admins and users. It can delegate Virtual Machine's to users. A noVNC viewer presents a full graphical console to the guest domain. KVM is currently the only hypervisor supported.

Anatoliy Guskov 1.3k Dec 29, 2022
"Log in as user" for the Django admin.

django-loginas About "Login as user" for the Django admin. loginas supports Python 3 only, as of version 0.4. If you're on 2, use 0.3.6. Installing dj

Stavros Korokithakis 326 Dec 3, 2022
BitcartCC is a platform for merchants, users and developers which offers easy setup and use.

BitcartCC is a platform for merchants, users and developers which offers easy setup and use.

BitcartCC 270 Jan 7, 2023
Django Smuggler is a pluggable application for Django Web Framework that helps you to import/export fixtures via the automatically-generated administration interface.

Django Smuggler Django Smuggler is a pluggable application for Django Web Framework to easily dump/load fixtures via the automatically-generated admin

semente 373 Dec 26, 2022
📱 An extension for Django admin that makes interface mobile-friendly. Merged into Django 2.0

Django Flat Responsive django-flat-responsive is included as part of Django from version 2.0! ?? Use this app if your project is powered by an older D

elky 248 Sep 2, 2022
An improved django-admin-tools dashboard for Django projects

django-fluent-dashboard The fluent_dashboard module offers a custom admin dashboard, built on top of django-admin-tools (docs). The django-admin-tools

django-fluent 326 Nov 9, 2022
A Django app for easily adding object tools in the Django admin

Django Object Actions If you've ever tried making admin object tools you may have thought, "why can't this be as easy as making Django Admin Actions?"

Chris Chang 524 Dec 26, 2022
Legacy django jet rebooted , supports only Django 3

Django JET Reboot Rebooting the original project : django-jet. Django Jet is modern template for Django admin interface with improved functionality. W

null 215 Dec 31, 2022
Disable dark mode in Django admin user interface in Django 3.2.x.

Django Non Dark Admin Disable or enable dark mode user interface in Django admin panel (Django==3.2). Installation For install this app run in termina

Artem Galichkin 6 Nov 23, 2022
Nginx UI allows you to access and modify the nginx configurations files without cli.

nginx ui Table of Contents nginx ui Introduction Setup Example Docker UI Authentication Configure the auth file Configure nginx Introduction We use ng

David Schenk 4.3k Dec 31, 2022
Django application and library for importing and exporting data with admin integration.

django-import-export django-import-export is a Django application and library for importing and exporting data with included admin integration. Featur

null 2.6k Jan 7, 2023
Extends the Django Admin to include a extensible dashboard and navigation menu

django-admin-tools django-admin-tools is a collection of extensions/tools for the default django administration interface, it includes: a full feature

Django Admin Tools 731 Dec 28, 2022
WordPress look and feel for Django administration panel

Django WP Admin WordPress look and feel for Django administration panel. Features WordPress look and feel New styles for selector, calendar and timepi

Maciej Marczewski 266 Nov 21, 2022
A cool, modern and responsive django admin application based on bootstrap 5

django-baton A cool, modern and responsive django admin application based on bootstrap 5 Documentation: readthedocs Live Demo Now you can try django-b

Otto srl 678 Jan 1, 2023
fastapi-admin is a fast admin dashboard based on FastAPI and TortoiseORM with tabler ui, inspired by Django admin.

fastapi-admin is a fast admin dashboard based on FastAPI and TortoiseORM with tabler ui, inspired by Django admin.

fastapi-admin 1.6k Dec 30, 2022
Tactical RMM is a remote monitoring & management tool for Windows computers, built with Django and Vue.

Tactical RMM is a remote monitoring & management tool for Windows computers, built with Django and Vue. It uses an agent written in golan

Dan 1.4k Dec 30, 2022
Modern responsive template for the Django admin interface with improved functionality. We are proud to announce completely new Jet. Please check out Live Demo

Django JET Modern template for Django admin interface with improved functionality Attention! NEW JET We are proud to announce completely new Jet. Plea

Geex Arts 3.4k Dec 29, 2022
Drop-in replacement of Django admin comes with lots of goodies, fully extensible with plugin support, pretty UI based on Twitter Bootstrap.

Xadmin Drop-in replacement of Django admin comes with lots of goodies, fully extensible with plugin support, pretty UI based on Twitter Bootstrap. Liv

差沙 4.7k Dec 31, 2022