"Log in as user" for the Django admin.

Overview

django-loginas

About

"Login as user" for the Django admin.

Build Status PyPI version

loginas supports Python 3 only, as of version 0.4. If you're on 2, use 0.3.6.

Installing django-loginas

  • Add loginas to your Python path, or install using pip: pip install django-loginas

  • Add the loginas app to your INSTALLED_APPS:

    # settings.py
    INSTALLED_APPS = [... 'loginas', ...]
  • Add the loginas URL to your urls.py:

    # urls.py
    urlpatterns += path("admin/", include('loginas.urls')),
  • If you're using a custom User model, you'll need to add the template to it so the button shows up:

    # admin.py
    class YourUserAdmin(ModelAdmin):
        change_form_template = 'loginas/change_form.html'

At this point, you should be good to go. Just visit the Django admin, navigate to a user and you should see the "Log in as user" button at the top right of the screen.

Configuring

At this point, the only users who will be able to log in as other users are those with the is_superuser permission. If you use custom User models, and haven't specified that permission, or if you want to change which users are authorized to log in as others, you can define the CAN_LOGIN_AS setting, like so:

# settings.py

# This will only allow admins to log in as other users:
CAN_LOGIN_AS = lambda request, target_user: request.user.is_superuser

# This will only allow admins to log in as other users, as long as
# those users are not admins themselves:
CAN_LOGIN_AS = lambda request, target_user: request.user.is_superuser and not target_user.is_superuser

# You can also define a string path to a module:
CAN_LOGIN_AS = "utils.helpers.custom_loginas"

By default, clicking "Login as user" will send the user to settings.LOGIN_REDIRECT_URL. You can override this behavior like so:

# settings.py

LOGINAS_REDIRECT_URL = '/loginas-redirect-url'

In order to automatically restore the original user upon log out, replace the default log out with a special log out that restores the original login session from a signed session.

# settings.py

from django.core.urlresolvers import reverse_lazy
LOGOUT_URL = reverse_lazy('loginas-logout')

Additionally, you can specify the redirect url for logout (the default is settings.LOGIN_REDIRECT_URL).

# settings.py

from django.core.urlresolvers import reverse_lazy
LOGINAS_LOGOUT_REDIRECT_URL = reverse_lazy('admin:index')

By default, clicking "Login as user" will not update user.last_login. You can override this behavior like so:

# settings.py

LOGINAS_UPDATE_LAST_LOGIN = True

By default, the login switch message will use the User model's USERNAME_FIELD. You can override this behavior by passing in a different field name:

# settings.py

LOGINAS_USERNAME_FIELD = 'email'

Other implementation suggestions

Existing logout view?

If you already have a logout view, you can modify to login the original user again after having had a "login as" session. Here's an example:

class LogoutView(LogoutView):
    template_name = 'myapp/logged_out.html'

    @method_decorator(never_cache)
    def dispatch(self, request, *args, **kwargs):
        from loginas.utils import restore_original_login
        restore_original_login(request)
        return redirect('myapp:login')

Template awareness

You can add the context processor loginas.context_processors.impersonated_session_status in your settings.py file if you'd like to be able to access a variable is_impersonated_session in all your template contexts:

# settings.py

TEMPLATES = [
    {
        ...
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                ...
                'loginas.context_processors.impersonated_session_status',
            ],
        },
    },
]

Note that django-loginas won't let you log in as other superusers, to prevent privilege escalation from staff users to superusers. If you want to log in as a superuser, first demote them to a non-superuser, and then log in.

License

This software is distributed under the BSD license.

Comments
  • loginas doesn't work if the authentication backend doesn't have `get_user` method

    loginas doesn't work if the authentication backend doesn't have `get_user` method

    django-loginas does not work with django-rules as an Authentication Backend.

    We use django-rules to specify custom authentication rules. As a result, we have this in our settings:

    AUTHENTICATION_BACKENDS = (
        'rules.permissions.ObjectPermissionBackend',
        'django.contrib.auth.backends.ModelBackend',
    )
    

    However, rules.permissions.ObjectPermissionBackend does not specify a get_user method (as seen here). Even though, the Django documentation says that each backend must implement a get_user method, apparently this is not enforced (!?). This was discussed in a django-rules issue here: https://github.com/dfunckt/django-rules/issues/46

    The reason why I believe this is not enforced is because they made some changes in the behavior of force_login (https://code.djangoproject.com/ticket/27542#ticket).

    A quick workaround would be to check if the authentication backend has a get_user method. If not, then continue.

    Does this make sense?

    opened by bbirand 13
  • Don't allow login as other staff users

    Don't allow login as other staff users

    For audit-ability, I don't want superusers to be able to authenticate as other staff users (especially not as other superusers).

    One (or more) of these could work:

    1. Completely disallow logging in as other staff users
    2. Add a setting that when enabled will disallow logging in as other staff users
    3. Add a setting allowing certain user groups to be excluded from the loginas feature
    4. Add a setting restricting the loginas feature to certain user groups
    opened by treyhunner 12
  • Feature Suggestion: Go back to being original user.

    Feature Suggestion: Go back to being original user.

    Nice job thanks!

    You're already storing the original user.pk in the session, it would be great to be able to go back to being who you were without logging out. If there's no objection I'd be happy to add a view for that.

    Then perhaps a context processor to put html for a button in the context when the user is being impersonated. It would be up to the application developer to decide where to place the button so that anyone will be able to see it, since that would vary for every application.

    opened by benmehlman 10
  • Doesn't work with Django 3.0

    Doesn't work with Django 3.0

    Tried the latest django-loginas (master branch of this repo) and got this error:

      File "<frozen importlib._bootstrap>", line 994, in _gcd_import
      File "<frozen importlib._bootstrap>", line 971, in _find_and_load
      File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
      File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
      File "<frozen importlib._bootstrap_external>", line 678, in exec_module
      File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
      File "/Users/mmalysh/Development/mining-website/kryptex/config/urls.py", line 57, in <module>
        url(r'^adminium/', include('loginas.urls')),
      File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/django/urls/conf.py", line 34, in include
        urlconf_module = import_module(urlconf_module)
      File "/Users/mmalysh/.pyenv/versions/3.6.9/lib/python3.6/importlib/__init__.py", line 126, in import_module
        return _bootstrap._gcd_import(name[level:], package, level)
      File "<frozen importlib._bootstrap>", line 994, in _gcd_import
      File "<frozen importlib._bootstrap>", line 971, in _find_and_load
      File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
      File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
      File "<frozen importlib._bootstrap_external>", line 678, in exec_module
      File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
      File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/loginas/urls.py", line 2, in <module>
        from loginas.views import user_login, user_logout
      File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/loginas/views.py", line 5, in <module>
        from django.utils import six
    ImportError: cannot import name 'six'
    
    opened by maxmalysh 7
  • Feat/admin log entry

    Feat/admin log entry

    Added automatic admin-log-entries like "User X logged in as User Y", added optional context_processor to get the impersonation status in all templates and updated the ReadMe for it.

    opened by lggwettmann 7
  • Feature Idea: view decorator to prompt for login as a different user

    Feature Idea: view decorator to prompt for login as a different user

    Here's the use case:

    1. Staff user logs into admin site
    2. Staff user navigates to Post model's page
    3. Staff user clicks "View on Site"
    4. The post is private so a page is shown to admin user presenting a list of users to re-authenticate as
    5. Staff member selects a user to re-authenticate as and is logged in and redirected to the page
    opened by treyhunner 7
  • Modernize Django URL's

    Modernize Django URL's

    Fixes this warning:

    .../python3.9/site-packages/loginas/urls.py:6: RemovedInDjango40Warning: django.conf.urls.url() is deprecated in favor of django.urls.re_path().
        url(r"^logout/$", user_logout, name="loginas-logout"),
    

    And uses the new path syntax added in Django 2.0

    opened by adamchainz 5
  • Added possibility login as superusers

    Added possibility login as superusers

    Added option CAN_LOGIN_IN_SUPERUSER If CAN_LOGIN_IN_SUPERUSER == True -> you can login as in superuser If CAN_LOGIN_IN_SUPERUSER == False -> you can't login as in superuser By default you can't

    opened by axsapronov 5
  • Configurable logout redirect url via LOGINAS_LOGOUT_REDIRECT_URL

    Configurable logout redirect url via LOGINAS_LOGOUT_REDIRECT_URL

    When admin logging out from delegated session we might want to take user back to admin pages this now can be accomplished by setting var LOGINAS_LOGOUT_REDIRECT_URL instead of always redirecting user back to settings.LOGIN_REDIRECT_URL

    # settings.py
    
    from django.core.urlresolvers import reverse_lazy
    LOGINAS_LOGOUT_REDIRECT_URL = reverse_lazy('admin:index')
    
    opened by intellisense 5
  • permissions required to see the log in as button?

    permissions required to see the log in as button?

    Hi,

    What is actually required to display the "log in as" button? I have a user that is in a group A that has the change permission on user but the button is not displayed. I tried to give all the permissions to this group and it did not change anything. Only when I set the user as a super user, he can see the button. Is it required to be a super user to see the "log in as" button?

    Thanks

    opened by YAmikep 5
  • Is there a way to know we are logging in via this method?

    Is there a way to know we are logging in via this method?

    Hi,

    Is there a way to know we are logging in via this method? For example, I do not want the analytics to be triggered on the pages if an admin logs in as a user to check something.

    Thanks

    opened by YAmikep 5
  • Add

    Add "reason" for logging in

    For compliance reasons it might be nice to add a reason for logging in as a user, for example to add a link to the internal support ticket. Just a TextField that gets added to the django admin history would be great.

    opened by timgl 0
  • ImproperlyConfigured if target user is inactive

    ImproperlyConfigured if target user is inactive

    Hello, The default implementation of django.contrib.auth.backends.ModelBackend.get_user prevents inactive users to logging in since Django 1.10 (see user_can_authenticate). I do believe this error should't be critical since you could fix it without updating project configuration and better showing warning / error message instead. How about allow throwing custom exception in can_login_as with the reason why you can't log in as a target user and showing it to the authenticated user in this case?

    opened by pacahon 9
  • django.contrib.admin is required

    django.contrib.admin is required

    It appears as though the loginas app has an undocumented dependency on the django.contrib.admin app in utils.py

    Traceback (most recent call last):                                                                                                                 
    [...]                                                                  
      File "/app/project/apps/accounts/urls.py", line 4, in <module>                                                                                   
        from loginas.views import user_login                                                                                                           
      File "/usr/local/lib/python3.7/site-packages/loginas/views.py", line 11, in <module>                                                             
        from .utils import login_as, restore_original_login                                                                                            
      File "/usr/local/lib/python3.7/site-packages/loginas/utils.py", line 7, in <module>                                                              
        from django.contrib.admin.models import CHANGE, LogEntry                                                                                       
      File "/usr/local/lib/python3.7/site-packages/django/contrib/admin/models.py", line 39, in <module>                                               
        class LogEntry(models.Model):                                                                                                                  
      File "/usr/local/lib/python3.7/site-packages/django/db/models/base.py", line 111, in __new__                                                     
        "INSTALLED_APPS." % (module, name)                                                                                                             
    RuntimeError: Model class django.contrib.admin.models.LogEntry doesn't declare an explicit app_label and isn't in an application in INSTALLED_APPS.
    

    I believe this could be corrected by testing whether the admin is installed or not, and skipping trying to create the LogEntry if isn't installed. If that makes sense, I can submit a patch to make this change.

    opened by notanumber 2
  • Send user_id with POST

    Send user_id with POST

    Sorry for my English.

    I'm trying to add "Login as" buttons to admin changelist and faced with the complexity associated with the fact that user_id passed via URL. If you will pass it as POST parameter, you will have the opportunity to use single form with multiple buttons like this: <button form="loginas-form" name="user_id" value="{{ user.id }}">Login as {{ user.username }}</button>

    opened by pix666 2
  • Fix translations in wheel files, build translations on build, remove .mo files

    Fix translations in wheel files, build translations on build, remove .mo files

    Hi,

    sorry to bother you again, but nor the WHL file, neither the sdist .tar.gz for 0.3.3 contain the translations.

    Also, they weren't build on install.

    So, I added that to setup.py.

    Also, we need only .po files with translations, as .mo files are being built before the build stage. So I removed .mo files from git and added them to .gitignore .

    I'd love you to review the changes, eventually commit them and create 0.3.4 release. Thanks.

    opened by mpasternak 1
Releases(v0.3.8)
Owner
Stavros Korokithakis
I love writing code, making stupid devices and writing about writing code and making stupid devices.
Stavros Korokithakis
Jet Bridge (Universal) for Jet Admin – API-based Admin Panel Framework for your application

Jet Bridge for Jet Admin – Admin panel framework for your application Description About Jet Admin: https://about.jetadmin.io Live Demo: https://app.je

Jet Admin 1.3k Dec 27, 2022
aiohttp admin is generator for admin interface based on aiohttp

aiohttp admin is generator for admin interface based on aiohttp

Mykhailo Havelia 17 Nov 16, 2022
📱 An extension for Django admin that makes interface mobile-friendly. Merged into Django 2.0

Django Flat Responsive django-flat-responsive is included as part of Django from version 2.0! ?? Use this app if your project is powered by an older D

elky 248 Sep 2, 2022
An improved django-admin-tools dashboard for Django projects

django-fluent-dashboard The fluent_dashboard module offers a custom admin dashboard, built on top of django-admin-tools (docs). The django-admin-tools

django-fluent 326 Nov 9, 2022
A Django app for easily adding object tools in the Django admin

Django Object Actions If you've ever tried making admin object tools you may have thought, "why can't this be as easy as making Django Admin Actions?"

Chris Chang 524 Dec 26, 2022
Disable dark mode in Django admin user interface in Django 3.2.x.

Django Non Dark Admin Disable or enable dark mode user interface in Django admin panel (Django==3.2). Installation For install this app run in termina

Artem Galichkin 6 Nov 23, 2022
Modern responsive template for the Django admin interface with improved functionality. We are proud to announce completely new Jet. Please check out Live Demo

Django JET Modern template for Django admin interface with improved functionality Attention! NEW JET We are proud to announce completely new Jet. Plea

Geex Arts 3.4k Dec 29, 2022
Drop-in replacement of Django admin comes with lots of goodies, fully extensible with plugin support, pretty UI based on Twitter Bootstrap.

Xadmin Drop-in replacement of Django admin comes with lots of goodies, fully extensible with plugin support, pretty UI based on Twitter Bootstrap. Liv

差沙 4.7k Dec 31, 2022
A jazzy skin for the Django Admin-Interface (official repository).

Django Grappelli A jazzy skin for the Django admin interface. Grappelli is a grid-based alternative/extension to the Django administration interface.

Patrick Kranzlmueller 3.4k Dec 31, 2022
A Django admin theme using Twitter Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed apps.

django-admin-bootstrapped A Django admin theme using Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed ap

null 1.6k Dec 28, 2022
django's default admin interface made customizable. popup windows replaced by modals. :mage: :zap:

django-admin-interface django-admin-interface is a modern responsive flat admin interface customizable by the admin itself. Features Beautiful default

Fabio Caccamo 1.3k Dec 31, 2022
Extendable, adaptable rewrite of django.contrib.admin

django-admin2 One of the most useful parts of django.contrib.admin is the ability to configure various views that touch and alter data. django-admin2

Jazzband 1.2k Dec 29, 2022
Modern theme for Django admin interface

Django Suit Modern theme for Django admin interface. Django Suit is alternative theme/skin/extension for Django administration interface. Project home

Kaspars Sprogis 2.2k Dec 29, 2022
Django application and library for importing and exporting data with admin integration.

django-import-export django-import-export is a Django application and library for importing and exporting data with included admin integration. Featur

null 2.6k Jan 7, 2023
:honey_pot: A fake Django admin login screen page.

django-admin-honeypot django-admin-honeypot is a fake Django admin login screen to log and notify admins of attempted unauthorized access. This app wa

Derek Payton 907 Dec 31, 2022
Visually distinguish environments in Django Admin

django-admin-env-notice Visually distinguish environments in Django Admin. Based on great advice from post: 5 ways to make Django Admin safer by hakib

Yuri Shikanov 258 Nov 30, 2022
A new style for Django admin

Djamin Djamin a new and clean styles for Django admin based in Google projects styles. Quick start Install djamin: pip install -e git://github.com/her

Herson Leite 236 Dec 15, 2022
Responsive Theme for Django Admin With Sidebar Menu

Responsive Django Admin If you're looking for a version compatible with Django 1.8 just install 0.3.7.1. Features Responsive Sidebar Menu Easy install

Douglas Miranda 852 Dec 2, 2022
A Django admin theme using Twitter Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed apps.

django-admin-bootstrapped A Django admin theme using Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed ap

null 1.6k Dec 28, 2022