"Log in as user" for the Django admin.

Overview

django-loginas

About

"Login as user" for the Django admin.

Build Status PyPI version

loginas supports Python 3 only, as of version 0.4. If you're on 2, use 0.3.6.

Installing django-loginas

  • Add loginas to your Python path, or install using pip: pip install django-loginas

  • Add the loginas app to your INSTALLED_APPS:

    # settings.py
    INSTALLED_APPS = [... 'loginas', ...]
  • Add the loginas URL to your urls.py:

    # urls.py
    urlpatterns += path("admin/", include('loginas.urls')),
  • If you're using a custom User model, you'll need to add the template to it so the button shows up:

    # admin.py
    class YourUserAdmin(ModelAdmin):
        change_form_template = 'loginas/change_form.html'

At this point, you should be good to go. Just visit the Django admin, navigate to a user and you should see the "Log in as user" button at the top right of the screen.

Configuring

At this point, the only users who will be able to log in as other users are those with the is_superuser permission. If you use custom User models, and haven't specified that permission, or if you want to change which users are authorized to log in as others, you can define the CAN_LOGIN_AS setting, like so:

# settings.py

# This will only allow admins to log in as other users:
CAN_LOGIN_AS = lambda request, target_user: request.user.is_superuser

# This will only allow admins to log in as other users, as long as
# those users are not admins themselves:
CAN_LOGIN_AS = lambda request, target_user: request.user.is_superuser and not target_user.is_superuser

# You can also define a string path to a module:
CAN_LOGIN_AS = "utils.helpers.custom_loginas"

By default, clicking "Login as user" will send the user to settings.LOGIN_REDIRECT_URL. You can override this behavior like so:

# settings.py

LOGINAS_REDIRECT_URL = '/loginas-redirect-url'

In order to automatically restore the original user upon log out, replace the default log out with a special log out that restores the original login session from a signed session.

# settings.py

from django.core.urlresolvers import reverse_lazy
LOGOUT_URL = reverse_lazy('loginas-logout')

Additionally, you can specify the redirect url for logout (the default is settings.LOGIN_REDIRECT_URL).

# settings.py

from django.core.urlresolvers import reverse_lazy
LOGINAS_LOGOUT_REDIRECT_URL = reverse_lazy('admin:index')

By default, clicking "Login as user" will not update user.last_login. You can override this behavior like so:

# settings.py

LOGINAS_UPDATE_LAST_LOGIN = True

By default, the login switch message will use the User model's USERNAME_FIELD. You can override this behavior by passing in a different field name:

# settings.py

LOGINAS_USERNAME_FIELD = 'email'

Other implementation suggestions

Existing logout view?

If you already have a logout view, you can modify to login the original user again after having had a "login as" session. Here's an example:

class LogoutView(LogoutView):
    template_name = 'myapp/logged_out.html'

    @method_decorator(never_cache)
    def dispatch(self, request, *args, **kwargs):
        from loginas.utils import restore_original_login
        restore_original_login(request)
        return redirect('myapp:login')

Template awareness

You can add the context processor loginas.context_processors.impersonated_session_status in your settings.py file if you'd like to be able to access a variable is_impersonated_session in all your template contexts:

# settings.py

TEMPLATES = [
    {
        ...
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                ...
                'loginas.context_processors.impersonated_session_status',
            ],
        },
    },
]

Note that django-loginas won't let you log in as other superusers, to prevent privilege escalation from staff users to superusers. If you want to log in as a superuser, first demote them to a non-superuser, and then log in.

License

This software is distributed under the BSD license.

Comments
  • loginas doesn't work if the authentication backend doesn't have `get_user` method

    loginas doesn't work if the authentication backend doesn't have `get_user` method

    django-loginas does not work with django-rules as an Authentication Backend.

    We use django-rules to specify custom authentication rules. As a result, we have this in our settings:

    AUTHENTICATION_BACKENDS = (
        'rules.permissions.ObjectPermissionBackend',
        'django.contrib.auth.backends.ModelBackend',
    )
    

    However, rules.permissions.ObjectPermissionBackend does not specify a get_user method (as seen here). Even though, the Django documentation says that each backend must implement a get_user method, apparently this is not enforced (!?). This was discussed in a django-rules issue here: https://github.com/dfunckt/django-rules/issues/46

    The reason why I believe this is not enforced is because they made some changes in the behavior of force_login (https://code.djangoproject.com/ticket/27542#ticket).

    A quick workaround would be to check if the authentication backend has a get_user method. If not, then continue.

    Does this make sense?

    opened by bbirand 13
  • Don't allow login as other staff users

    Don't allow login as other staff users

    For audit-ability, I don't want superusers to be able to authenticate as other staff users (especially not as other superusers).

    One (or more) of these could work:

    1. Completely disallow logging in as other staff users
    2. Add a setting that when enabled will disallow logging in as other staff users
    3. Add a setting allowing certain user groups to be excluded from the loginas feature
    4. Add a setting restricting the loginas feature to certain user groups
    opened by treyhunner 12
  • Feature Suggestion: Go back to being original user.

    Feature Suggestion: Go back to being original user.

    Nice job thanks!

    You're already storing the original user.pk in the session, it would be great to be able to go back to being who you were without logging out. If there's no objection I'd be happy to add a view for that.

    Then perhaps a context processor to put html for a button in the context when the user is being impersonated. It would be up to the application developer to decide where to place the button so that anyone will be able to see it, since that would vary for every application.

    opened by benmehlman 10
  • Doesn't work with Django 3.0

    Doesn't work with Django 3.0

    Tried the latest django-loginas (master branch of this repo) and got this error:

      File "<frozen importlib._bootstrap>", line 994, in _gcd_import
      File "<frozen importlib._bootstrap>", line 971, in _find_and_load
      File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
      File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
      File "<frozen importlib._bootstrap_external>", line 678, in exec_module
      File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
      File "/Users/mmalysh/Development/mining-website/kryptex/config/urls.py", line 57, in <module>
        url(r'^adminium/', include('loginas.urls')),
      File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/django/urls/conf.py", line 34, in include
        urlconf_module = import_module(urlconf_module)
      File "/Users/mmalysh/.pyenv/versions/3.6.9/lib/python3.6/importlib/__init__.py", line 126, in import_module
        return _bootstrap._gcd_import(name[level:], package, level)
      File "<frozen importlib._bootstrap>", line 994, in _gcd_import
      File "<frozen importlib._bootstrap>", line 971, in _find_and_load
      File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
      File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
      File "<frozen importlib._bootstrap_external>", line 678, in exec_module
      File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
      File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/loginas/urls.py", line 2, in <module>
        from loginas.views import user_login, user_logout
      File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/loginas/views.py", line 5, in <module>
        from django.utils import six
    ImportError: cannot import name 'six'
    
    opened by maxmalysh 7
  • Feat/admin log entry

    Feat/admin log entry

    Added automatic admin-log-entries like "User X logged in as User Y", added optional context_processor to get the impersonation status in all templates and updated the ReadMe for it.

    opened by lggwettmann 7
  • Feature Idea: view decorator to prompt for login as a different user

    Feature Idea: view decorator to prompt for login as a different user

    Here's the use case:

    1. Staff user logs into admin site
    2. Staff user navigates to Post model's page
    3. Staff user clicks "View on Site"
    4. The post is private so a page is shown to admin user presenting a list of users to re-authenticate as
    5. Staff member selects a user to re-authenticate as and is logged in and redirected to the page
    opened by treyhunner 7
  • Modernize Django URL's

    Modernize Django URL's

    Fixes this warning:

    .../python3.9/site-packages/loginas/urls.py:6: RemovedInDjango40Warning: django.conf.urls.url() is deprecated in favor of django.urls.re_path().
        url(r"^logout/$", user_logout, name="loginas-logout"),
    

    And uses the new path syntax added in Django 2.0

    opened by adamchainz 5
  • Added possibility login as superusers

    Added possibility login as superusers

    Added option CAN_LOGIN_IN_SUPERUSER If CAN_LOGIN_IN_SUPERUSER == True -> you can login as in superuser If CAN_LOGIN_IN_SUPERUSER == False -> you can't login as in superuser By default you can't

    opened by axsapronov 5
  • Configurable logout redirect url via LOGINAS_LOGOUT_REDIRECT_URL

    Configurable logout redirect url via LOGINAS_LOGOUT_REDIRECT_URL

    When admin logging out from delegated session we might want to take user back to admin pages this now can be accomplished by setting var LOGINAS_LOGOUT_REDIRECT_URL instead of always redirecting user back to settings.LOGIN_REDIRECT_URL

    # settings.py
    
    from django.core.urlresolvers import reverse_lazy
    LOGINAS_LOGOUT_REDIRECT_URL = reverse_lazy('admin:index')
    
    opened by intellisense 5
  • permissions required to see the log in as button?

    permissions required to see the log in as button?

    Hi,

    What is actually required to display the "log in as" button? I have a user that is in a group A that has the change permission on user but the button is not displayed. I tried to give all the permissions to this group and it did not change anything. Only when I set the user as a super user, he can see the button. Is it required to be a super user to see the "log in as" button?

    Thanks

    opened by YAmikep 5
  • Is there a way to know we are logging in via this method?

    Is there a way to know we are logging in via this method?

    Hi,

    Is there a way to know we are logging in via this method? For example, I do not want the analytics to be triggered on the pages if an admin logs in as a user to check something.

    Thanks

    opened by YAmikep 5
  • Add

    Add "reason" for logging in

    For compliance reasons it might be nice to add a reason for logging in as a user, for example to add a link to the internal support ticket. Just a TextField that gets added to the django admin history would be great.

    opened by timgl 0
  • ImproperlyConfigured if target user is inactive

    ImproperlyConfigured if target user is inactive

    Hello, The default implementation of django.contrib.auth.backends.ModelBackend.get_user prevents inactive users to logging in since Django 1.10 (see user_can_authenticate). I do believe this error should't be critical since you could fix it without updating project configuration and better showing warning / error message instead. How about allow throwing custom exception in can_login_as with the reason why you can't log in as a target user and showing it to the authenticated user in this case?

    opened by pacahon 9
  • django.contrib.admin is required

    django.contrib.admin is required

    It appears as though the loginas app has an undocumented dependency on the django.contrib.admin app in utils.py

    Traceback (most recent call last):                                                                                                                 
    [...]                                                                  
      File "/app/project/apps/accounts/urls.py", line 4, in <module>                                                                                   
        from loginas.views import user_login                                                                                                           
      File "/usr/local/lib/python3.7/site-packages/loginas/views.py", line 11, in <module>                                                             
        from .utils import login_as, restore_original_login                                                                                            
      File "/usr/local/lib/python3.7/site-packages/loginas/utils.py", line 7, in <module>                                                              
        from django.contrib.admin.models import CHANGE, LogEntry                                                                                       
      File "/usr/local/lib/python3.7/site-packages/django/contrib/admin/models.py", line 39, in <module>                                               
        class LogEntry(models.Model):                                                                                                                  
      File "/usr/local/lib/python3.7/site-packages/django/db/models/base.py", line 111, in __new__                                                     
        "INSTALLED_APPS." % (module, name)                                                                                                             
    RuntimeError: Model class django.contrib.admin.models.LogEntry doesn't declare an explicit app_label and isn't in an application in INSTALLED_APPS.
    

    I believe this could be corrected by testing whether the admin is installed or not, and skipping trying to create the LogEntry if isn't installed. If that makes sense, I can submit a patch to make this change.

    opened by notanumber 2
  • Send user_id with POST

    Send user_id with POST

    Sorry for my English.

    I'm trying to add "Login as" buttons to admin changelist and faced with the complexity associated with the fact that user_id passed via URL. If you will pass it as POST parameter, you will have the opportunity to use single form with multiple buttons like this: <button form="loginas-form" name="user_id" value="{{ user.id }}">Login as {{ user.username }}</button>

    opened by pix666 2
  • Fix translations in wheel files, build translations on build, remove .mo files

    Fix translations in wheel files, build translations on build, remove .mo files

    Hi,

    sorry to bother you again, but nor the WHL file, neither the sdist .tar.gz for 0.3.3 contain the translations.

    Also, they weren't build on install.

    So, I added that to setup.py.

    Also, we need only .po files with translations, as .mo files are being built before the build stage. So I removed .mo files from git and added them to .gitignore .

    I'd love you to review the changes, eventually commit them and create 0.3.4 release. Thanks.

    opened by mpasternak 1
Releases(v0.3.8)
Owner
Stavros Korokithakis
I love writing code, making stupid devices and writing about writing code and making stupid devices.
Stavros Korokithakis
FLEX (Federated Learning EXchange,FLEX) protocol is a set of standardized federal learning agreements designed by Tongdun AI Research Group。

Click to view Chinese version FLEX (Federated Learning Exchange) protocol is a set of standardized federal learning agreements designed by Tongdun AI

同盾科技 50 Nov 29, 2022
AdminFinderV1.5 - Hacking Website Admin Finder Defacer Script

Assalamualaikum Kembali Lagi bersama gua sang culun+nolep ini :v AdminFinder New

KOBUSTOR GHOST TEAM 2 Feb 15, 2022
PyMMO is a Python-based MMO game framework using sockets and PyGame.

PyMMO is a Python framework/template of a MMO game built using PyGame on top of Python's built-in socket module.

Luis Souto Maior 61 Dec 18, 2022
WordPress look and feel for Django administration panel

Django WP Admin WordPress look and feel for Django administration panel. Features WordPress look and feel New styles for selector, calendar and timepi

Maciej Marczewski 266 Nov 21, 2022
Disable dark mode in Django admin user interface in Django 3.2.x.

Django Non Dark Admin Disable or enable dark mode user interface in Django admin panel (Django==3.2). Installation For install this app run in termina

Artem Galichkin 6 Nov 23, 2022
Python Crypto Bot

Python Crypto Bot

Michael Whittle 1.6k Jan 06, 2023
spider-admin-pro

Spider Admin Pro Github: https://github.com/mouday/spider-admin-pro Gitee: https://gitee.com/mouday/spider-admin-pro Pypi: https://pypi.org/

mouday 289 Jan 06, 2023
Django Smuggler is a pluggable application for Django Web Framework that helps you to import/export fixtures via the automatically-generated administration interface.

Django Smuggler Django Smuggler is a pluggable application for Django Web Framework to easily dump/load fixtures via the automatically-generated admin

semente 373 Dec 26, 2022
Material design for django administration

Django Material Administration Quick start pip install django-material-admin Add material.admin and material.admin.default to your INSTALLED_APPS sett

Anton 279 Jan 05, 2023
手部21个关键点检测,二维手势姿态,手势识别,pytorch,handpose

手部21个关键点检测,二维手势姿态,手势识别,pytorch,handpose

Eric.Lee 321 Dec 30, 2022
WebVirtCloud is virtualization web interface for admins and users

WebVirtCloud is a virtualization web interface for admins and users. It can delegate Virtual Machine's to users. A noVNC viewer presents a full graphical console to the guest domain. KVM is currently

Anatoliy Guskov 1.3k Dec 29, 2022
Django app that enables staff to log in as other users using their own credentials.

Impostor Impostor is a Django application which allows staff members to login as a different user by using their own username and password. Login Logg

Andreu Vallbona Plazas 144 Dec 13, 2022
EOD (Easy and Efficient Object Detection) is a general object detection model production framework.

EOD (Easy and Efficient Object Detection) is a general object detection model production framework.

383 Jan 07, 2023
A configurable set of panels that display various debug information about the current request/response.

Django Debug Toolbar The Django Debug Toolbar is a configurable set of panels that display various debug information about the current request/respons

Jazzband 7.3k Dec 31, 2022
Video Visual Relation Detection (VidVRD) tracklets generation. also for ACM MM Visual Relation Understanding Grand Challenge

VidVRD-tracklets This repository contains codes for Video Visual Relation Detection (VidVRD) tracklets generation based on MEGA and deepSORT. These tr

25 Dec 21, 2022
AaPanel - Simple but Powerful web-based Control Panel

Introduction: aaPanel is the International version for BAOTA panel(www.bt.cn) There have millions servers had installed BAOTA panel since 2014 in Chin

bt.cn 1.4k Jan 09, 2023
"Log in as user" for the Django admin.

django-loginas About "Login as user" for the Django admin. loginas supports Python 3 only, as of version 0.4. If you're on 2, use 0.3.6. Installing dj

Stavros Korokithakis 326 Dec 03, 2022
Ajenti Core and stock plugins

Ajenti is a Linux & BSD modular server admin panel. Ajenti 2 provides a new interface and a better architecture, developed with Python3 and AngularJS.

Ajenti Project 7k Jan 07, 2023
Firebase Admin Console is a centralized platform for easy viewing and maintenance of Firestore database, the back-end API is a Python Flask app.

Firebase Admin Console is a centralized platform for easy viewing and maintenance of Firestore database, the back-end API is a Python Flask app. A starting template for developers to customize, build

Daqi Chen 1 Sep 10, 2022
A python application for manipulating pandas data frames from the comfort of your web browser

A python application for manipulating pandas data frames from the comfort of your web browser. Data flows are represented as a Directed Acyclic Graph, and nodes can be ran individually as the user se

Schlerp 161 Jan 04, 2023