With Django Hijack, admins can log in and work on behalf of other users without having to know their credentials.

Overview

Django Hijack

CI codecov PyPI

Screenshot of the notification seen while hijacking another user.

With Django Hijack, admins can log in and work on behalf of other users without having to know their credentials.

Docs

3.x docs are available in the docs folder. This version provides a security first design, easy integration, customisation, out-of-the-box Django admin support and dark-mode. It is a complete rewrite and all former APIs are broken.

2.x docs are available on Read the Docs http://django-hijack.readthedocs.org/en/stable/.

Testimonials

I am using django-hijack on a project with hundreds of users, wonderful tool for support. Thank you!

-- benzinonapoloni on reddit

This is a super useful tool. I have a site where I occasionally impersonating users to help troubleshoot their issues. This is a huge time saver.

-- orangishyellow on reddit

... one of our standard apps to install now.

-- thundersnow on reddit

Love django-hijack

-- bmihelac on Twitter

Donations

django-hijack is free software. If you find it useful and would like to give back, please consider to make a donation using Bitcoin or PayPal. Thank you!
Comments
  • Maintainership

    Maintainership

    Hi @philippeowagner,

    Let me start by expressing my gratitude towards the hours you and other contributors have sunk into this project. With that in mind, it would be sad to see this library fade away. Looking that the current state of the repository, it might be time to consider putting this project under new maintainership, to fuel the project with new enthusiasm.

    Since you are a @jazzband member yourself, that would certainly be an option. If you prefer a corporate or individual maintainer, that could also be arranged.

    Maybe you find the time to share your thoughts.

    Best, Joe

    opened by codingjoe 16
  • skip hijack if request or request.session is None

    skip hijack if request or request.session is None

    Bumped into a case where request is None when trying to show a render a template error message after an uncaught exception elsewhere in the application, resulting in another exception in hijack_tags.py. The changes in this pull request handle this by checking for request==None and request.session==None before trying to get the session attributes.

    opened by khpeterson 16
  • Hijack session variables are not available until after hijack is fully completed

    Hijack session variables are not available until after hijack is fully completed

    I am using the builtin django auth signal user_logged_in to record when user logins and store metadata about their login. However, I do not want to keep track of hijacked logins. This presents an issue because at the point a user is logged in via hijack https://github.com/arteria/django-hijack/blob/master/hijack/helpers.py#L110, the session variables are not set, which does make sense since you wouldn't want to set session variables before a login completely succeeds.

    Perhaps, there could be some other session variable set at the beginning of the login_user method that would give an indication that the user's login is being handled from django-hijack.

    opened by alex-kaufman 11
  • A lot of work with django-hijack

    A lot of work with django-hijack

    @philippeowagner We should probably discuss the changes outside of Github. I wrote you in KeyBase. My package on test.pypi https://test.pypi.org/project/django-hijack/

    === (3.0.0) ===

    • Drop support for python<3.5
    • Drop support for Django<2.2
    • Big code refactoring
    • CI improvements, automatically pypi deploy
    • Added wheel for pypi build
    opened by Mogost 10
  • Django-jinja2 integration

    Django-jinja2 integration

    Hello! Thanks for making hijack. Been using it on my site, but we just switched most of our main pages to using django-jinja for template rendering and thought that you might like to have in the system the code we needed to use to get the tag to work.

    Writing a Jinja2 extension is very difficult, and there were no documented examples I could find of how to write an extension that required the request object, so I implemented it as a filter on the request object. So in place of {% hijack_notification %} I used {{ request|hijack_filter }} and then made an entry in jinja_filters.py like so:

    import django
    from django.template.loader import render_to_string
    from django.utils.safestring import mark_safe
    from django_jinja import library 
    from hijack import settings as hijack_settings
    
    @library.filter
    def hijack_filter(request):
        if hijack_settings.HIJACK_USE_BOOTSTRAP: 
            template_name = 'hijack/notifications_bootstrap.html'
        else:
            template_name = 'hijack/notifications.html'
        ans = ''
        if request is not None and all([
            hijack_settings.HIJACK_DISPLAY_WARNING,
            request.session.get('is_hijacked_user', False),
            request.session.get('display_hijack_warning', False),
        ]):
            if django.VERSION < (1, 8):
                from django.template import RequestContext
                ans = render_to_string(template_name, context_instance=RequestContext(request))
            else:
                ans = render_to_string(template_name, request=request)
        return mark_safe(ans)
    

    in config.settings in the TEMPLATES setting for django_jinja.backend.Jinja2 under OPTIONS add a dict:

    "filters": {
                    "hijack_filter": 'myapp.utilities.jinja_filters.hijack_filter',
               },
    

    Hope that this is helpful to others or can become a part of the default hijack installation.

    waiting for feedback 
    opened by mscuthbert 10
  • Add support for non-integer primary key user models

    Add support for non-integer primary key user models

    Simplify URL and view structure. Add support for multiple PK types based on URL pattern as well as natural key support via URL patterns.

    Changes:

    • Deprecate HIJACK_URL_ALLOWED_ATTRIBUTES setting favoring HIJACK_USER_URL_PATTERN.
    • Deprecate URL names login_with_id, login_with_username and login_with_email favoring acquire.
    • Deprecate URL name release_hijack favoring release.
    • Deprecate views login_with_id, login_with_username and login_with_email favoring release_user_view.
    • Deprecate view release_hijack favoring release_user_view.

    Close #196 Close #183 Close #184 Close #198 Close #147 Close #175

    opened by codingjoe 9
  • The authentication was broken

    The authentication was broken

    After installing the module on the site. Began to notice that some users see some pages of other users. How to fix this? Django: 2.0.1 Python 3.6.4 django-hijack: 2.1.6 django-hijack-admin: 2.1.6

    waiting for feedback 
    opened by GitBib 9
  • HTML should not be parsed with regex

    HTML should not be parsed with regex

    The middleware's process_response method uses regex to parse the HTML response and inject content.

    This is easily broken, leading to the content being injected in the wrong place or not at all.

    I will open a PR with unit tests showing this.

    See this stackoverflow post as to why parsing HTML with regex is a bad idea.

    opened by LincolnPuzey 8
  • Complete rewrite with a focus on security

    Complete rewrite with a focus on security

    The old design was based on a lot of untested behavior that has since been included in Django itself, including proper testing and security oversight.

    This refactoring uses those new tools and aims to greatly simplify the overall design. This simplification should keep potential exposior to a minimum.

    As a result almost all settings have been dropped, infavor of a simple permission callback and a notification template. Both can be overriden in a users application to customize behavior as need.

    The documenation is completly rewritten too. It may server as a good starting point to understand this change.

    Changes in a nutshell:

    • Add Material style snackback notification
    • Use permission callbacks instead of settings
    • Provide permission callback for convenience
    • Render and inject notification via middleware
    • Use Django class based views and mixins for permission handling
    • Update the documentation to reflect new design
    • Compile gettext messages during release
    • Switch to SCSS and compile during release
    • Add msgcheck linter for translations
    • Add styleling as a SCSS linter
    • Update translations
    opened by codingjoe 8
  • fix: user_id isn't always an int

    fix: user_id isn't always an int

    I'm not sure what casting the user_id as an int is meant to accomplish in views.py, but on one of my projects the user_id is not always an integer and I noticed I was unable to hijack these users.

    Removing lines 16-20 fixes my issue and doesn't appear to have adverse effects. It would also address these issues https://github.com/arteria/django-hijack/issues/183 and https://github.com/arteria/django-hijack/issues/196.

    opened by HappyTepid 8
  • Usage documentation should have working code

    Usage documentation should have working code

    The form markup provided in the documentation doesn't work [1], working code is in the test project [2] though when modified.

    [1] https://django-hijack.readthedocs.io/en/stable/#usage [2]: https://github.com/django-hijack/django-hijack/blob/master/hijack/tests/test_app/templates/user_list.html

    opened by nkuttler 7
  • KeyError: 'CSRF_COOKIE'

    KeyError: 'CSRF_COOKIE'

    Greetings!

    We have a pretty standard django-hijack setup and most of the times it just works. However, we are noticing in Sentry a flaky hijjack issue:

    KeyError: 'CSRF_COOKIE'
      File "django/core/handlers/exception.py", line 55, in inner
        response = get_response(request)
      File "django/utils/deprecation.py", line 136, in __call__
        response = self.process_response(request, response)
      File "hijack/middleware.py", line 47, in process_response
        {"request": request, "csrf_token": request.META["CSRF_COOKIE"]},
    

    So, the library is trying to access CSRF cookie from request.META, but it is not available in the given <WSGIRequest: GET '/'> instance.

    hijack.middleware.HijackUserMiddleware is placed after the CSRF one:

    MIDDLEWARE = [
        "django.middleware.security.SecurityMiddleware",
        "django.contrib.sessions.middleware.SessionMiddleware",
        "django.middleware.csrf.CsrfViewMiddleware",
        "django.contrib.auth.middleware.AuthenticationMiddleware",
        ...
        "hijack.middleware.HijackUserMiddleware",
    ]
    

    Sadly, I am still not able to reproduce it. I only can suspect that in certain pages when we are redirecting after hijacking there is no CSRF token set from template. Do you have any ideas on this, maybe hints?

    I am happy to prepare a patch here or will wait for your solution.

    Best, Rust

    bug 
    opened by amureki 1
  • Feature proposal: hijack expiration

    Feature proposal: hijack expiration

    My org is using django-hijack to allow staff to masquerade as users. We've noticed that our staff users sometimes forget to release the hijack when they're done, and there's been a request to automatically release the hijack after a set time has elapsed. Reviewing the documentation, I see no provision for such a feature.

    More precisely, I'd like to add a setting HIJACK_TIMEOUT_SECONDS, defaulting to None. If the setting has a non-null value, that value is the number of seconds from start of hijack before automatic release of the user. Typical value expected to be on the order of six hours.

    Is this a feature that the django-hijack maintainers would be interested in seeing? If so, we'd be happy to make the changes as a modification of django-hijack and offer up a pull request.


    Please click 👍 if you'd like to see this feature implemented

    enhancement 
    opened by jonkiparsky 2
  • HIJACK_LOGOUT_REDIRECT_URL not working

    HIJACK_LOGOUT_REDIRECT_URL not working

    django-hijack v3.0.0 django-hijack-admin v2.1.10

    I'm using the Django admin integration app so I can hijack users from the admin interface.

    When I release a user, Django reloads the last hijacked page instead of loading what I set in my settings:

    HIJACK_LOGOUT_REDIRECT_URL = '/django-admin/auth/user/'
    

    In fact, if I don't set HIJACK_LOGOUT_REDIRECT_URL, the default behavior (loading LOGIN_REDIRECT_URL) doesn't work neither.

    docs 
    opened by fidelleon 3
Releases(3.2.6)
  • 3.2.6(Dec 27, 2022)

    What's Changed

    • Fix #520 -- Add support for custom managers on user model by @simonkern and @codingjoe in https://github.com/django-hijack/django-hijack/pull/521

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.2.5...3.2.6

    Source code(tar.gz)
    Source code(zip)
  • 3.2.5(Nov 29, 2022)

    What's Changed

    • Fix #367 -- Add fallback if LOGOUT_REDIRECT_URL is None by @codingjoe in https://github.com/django-hijack/django-hijack/pull/383
    • Do not access the session unless needed by @codingjoe in https://github.com/django-hijack/django-hijack/pull/509

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.2.4...3.2.5

    Source code(tar.gz)
    Source code(zip)
  • 3.2.4(Nov 14, 2022)

    What's Changed

    • Hotfix -- Wheel is missing minified static files by @codingjoe in https://github.com/django-hijack/django-hijack/pull/507
    • Add CodeQL to CI suite by @codingjoe in https://github.com/django-hijack/django-hijack/pull/506

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.2.3...3.2.4

    Source code(tar.gz)
    Source code(zip)
  • 3.2.3(Nov 14, 2022)

    What's Changed

    • docs: update documentation link and version info by @gdvalderrama in https://github.com/django-hijack/django-hijack/pull/489
    • docs: explain how to customize admin hijack button by @gdvalderrama in https://github.com/django-hijack/django-hijack/pull/497
    • Resolve #504 -- Use a RequestContext to render templates by @codingjoe in https://github.com/django-hijack/django-hijack/pull/505

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.2.2...3.2.3

    Source code(tar.gz)
    Source code(zip)
  • 3.2.2(Sep 11, 2022)

    What's Changed

    • docs: fix security typo by @max-wittig in https://github.com/django-hijack/django-hijack/pull/463
    • docs: fix simple typo, recommened -> recommended by @timgates42 in https://github.com/django-hijack/django-hijack/pull/476
    • Fix CI suite version issues by @codingjoe in https://github.com/django-hijack/django-hijack/pull/486
    • Add Django 4.1 support by @codingjoe in https://github.com/django-hijack/django-hijack/pull/481

    New Contributors

    • @max-wittig made their first contribution in https://github.com/django-hijack/django-hijack/pull/463
    • @timgates42 made their first contribution in https://github.com/django-hijack/django-hijack/pull/476

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.2.1...3.2.2

    Source code(tar.gz)
    Source code(zip)
  • 3.2.1(May 18, 2022)

    What's Changed

    • Fix typos and spacing by @SableWalnut in https://github.com/django-hijack/django-hijack/pull/434
    • L10n causes error on user PKs > 999 by @dryan in https://github.com/django-hijack/django-hijack/pull/446

    New Contributors

    • @SableWalnut made their first contribution in https://github.com/django-hijack/django-hijack/pull/434
    • @dryan made their first contribution in https://github.com/django-hijack/django-hijack/pull/446

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.2.0...3.2.1

    Source code(tar.gz)
    Source code(zip)
  • 3.2.0(Mar 31, 2022)

    What's Changed

    • Fix typo by @sondrelg in https://github.com/django-hijack/django-hijack/pull/412
    • Fix #423 -- Add webpack to build css from scss by @codingjoe in https://github.com/django-hijack/django-hijack/pull/429
    • Drop EOL Python and Django versions from CI pipeline by @codingjoe in https://github.com/django-hijack/django-hijack/pull/429

    New Contributors

    • @sondrelg made their first contribution in https://github.com/django-hijack/django-hijack/pull/412

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.1.6...3.2.0

    Source code(tar.gz)
    Source code(zip)
  • 3.1.6(Feb 22, 2022)

    What's Changed

    • Ignore hijacking logic in response processing in case of empty session by @amureki in https://github.com/django-hijack/django-hijack/pull/408

    New Contributors

    • @amureki made their first contribution in https://github.com/django-hijack/django-hijack/pull/408

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.1.5...3.1.6

    Source code(tar.gz)
    Source code(zip)
  • 3.1.5(Feb 21, 2022)

    What's Changed

    • Update package lock to version 2 by @codingjoe in https://github.com/django-hijack/django-hijack/pull/382
    • Fix mkdocs build and add CI job by @codingjoe in https://github.com/django-hijack/django-hijack/pull/398
    • Move funding links GitHub sponsorships by @codingjoe in https://github.com/django-hijack/django-hijack/pull/220
    • Do not touch empty sessions to avoid vary on cookie header by @codingjoe in https://github.com/django-hijack/django-hijack/pull/407

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.1.4...3.1.5

    Source code(tar.gz)
    Source code(zip)
  • 3.1.4(Dec 6, 2021)

    What's Changed

    • Add support for custom user hijack admins by @codingjoe in https://github.com/django-hijack/django-hijack/pull/380

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.1.3...3.1.4

    Source code(tar.gz)
    Source code(zip)
  • 3.1.3(Nov 23, 2021)

    What's Changed

    • Bump isort from 5.9.3 to 5.10.0 by @dependabot in https://github.com/django-hijack/django-hijack/pull/361
    • Bump isort from 5.10.0 to 5.10.1 by @dependabot in https://github.com/django-hijack/django-hijack/pull/362
    • Bump bandit from 1.7.0 to 1.7.1 by @dependabot in https://github.com/django-hijack/django-hijack/pull/364
    • Bump actions/setup-python from 2.2.2 to 2.3.0 by @dependabot in https://github.com/django-hijack/django-hijack/pull/366
    • Bump black from 21.10b0 to 21.11b1 by @dependabot in https://github.com/django-hijack/django-hijack/pull/368
    • Fix #369 -- Do not allow inactive users to be hijacked by @codingjoe in https://github.com/django-hijack/django-hijack/pull/370

    Full Changelog: https://github.com/django-hijack/django-hijack/compare/3.1.2...3.1.3

    Source code(tar.gz)
    Source code(zip)
  • 3.1.2(Nov 3, 2021)

  • 3.1.1(Oct 19, 2021)

  • 3.1.0(Oct 18, 2021)

  • 3.0.4(Oct 1, 2021)

  • 3.0.3(Sep 23, 2021)

  • 3.0.2(Sep 17, 2021)

  • 3.0.1(Sep 16, 2021)

  • 3.0.0(Aug 3, 2021)

  • 3.0rc4(Jul 3, 2021)

  • 3.0rc3(Mar 26, 2021)

    • Fix #250 -- Fix pattern based LOGOUT_REDIRECT_URL
    • Make admin success URL configurable
    • Move short_description into get_changelist_instance (#254)
    Source code(tar.gz)
    Source code(zip)
  • 3.0rc2(Mar 20, 2021)

  • 3.0rc1(Mar 20, 2021)

    BREAKING CHANGES

    This is a complete rewrite of the django-hijack package. All former APIs are broken.

    How to Upgrade

    Please remove your current integration and follow the setup instructions. This also includes removing the unmaintained django-hiack-admin package, which is no longer needed.

    Notable improvements

    • security first design
    • Django admin support was merged into this package
    • easy integration
    • custom user model support
    • customizable design
    • automatic dark-mode theme
    Source code(tar.gz)
    Source code(zip)
  • 2.3.0(Feb 18, 2021)

    • Simplify URL and view structure. Add support for multiple PK types based on URL pattern as well as natural key support via URL patterns.
    • Remove django-compat dependency.
    • Drop special case handling for unsupported Python/Django versions.
    • Deprecate HIJACK_URL_ALLOWED_ATTRIBUTES setting favoring HIJACK_USER_URL_PATTERN.
    • Deprecate URL names login_with_id, login_with_username and login_with_email favoring acquire.
    • Deprecate URL name release_hijack favoring release.
    • Deprecate views login_with_id, login_with_username and login_with_email favoring release_user_view.
    • Deprecate view release_hijack favoring release_user_view.
    • Reformat code and imports (black/isort).
    • Remove old change log file from repo and distributions.
    Source code(tar.gz)
    Source code(zip)
  • 2.2.1(Jan 31, 2021)

  • 2.2.0(Jan 30, 2021)

    • Update CI suite to run against all supported Django and Python versions
    • Resolve Django 4.0 deprecation warnings
    • Clean up packaging and binary and source distributions
    Source code(tar.gz)
    Source code(zip)
  • v2.1.10(Aug 7, 2018)

  • v2.1.7(Feb 16, 2018)

    • Add Danish translations
    • add conditional to use is_authenticated property when django >= 1.10
    • use django MiddlewareMixin to support new style Middleware
    • added tests for HijackRemoteUserMiddleware
    Source code(tar.gz)
    Source code(zip)
  • v2.1.6(Dec 22, 2017)

  • v2.1.5(Dec 5, 2017)

    • added Django 2.0 Support (#149)
    • Remove deprecated signals from version 1 (#115)
    • mini-css-fix: avoid content to be hidden by the fixed notification warning (#125)
    • Spaces mustn't be contained in email (#148)
    Source code(tar.gz)
    Source code(zip)
Responsive Theme for Django Admin With Sidebar Menu

Responsive Django Admin If you're looking for a version compatible with Django 1.8 just install 0.3.7.1. Features Responsive Sidebar Menu Easy install

Douglas Miranda 852 Dec 02, 2022
WebVirtCloud is virtualization web interface for admins and users

WebVirtCloud is a virtualization web interface for admins and users. It can delegate Virtual Machine's to users. A noVNC viewer presents a full graphical console to the guest domain. KVM is currently

Anatoliy Guskov 1.3k Dec 29, 2022
The script that able to find admin panels

admin_panel_finder The script will try to request possible admin panels by reading possible admin panels url then report as 200 YES or 404 NO usage: p

E-Pegasus 3 Mar 09, 2022
Simple and extensible administrative interface framework for Flask

Flask-Admin The project was recently moved into its own organization. Please update your references to Flask-Admin 5.2k Dec 29, 2022

django's default admin interface made customizable. popup windows replaced by modals. :mage: :zap:

django-admin-interface django-admin-interface is a modern responsive flat admin interface customizable by the admin itself. Features Beautiful default

Fabio Caccamo 1.3k Dec 31, 2022
Modern theme for Django admin interface

Django Suit Modern theme for Django admin interface. Django Suit is alternative theme/skin/extension for Django administration interface. Project home

Kaspars Sprogis 2.2k Dec 29, 2022
A Django admin theme using Twitter Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed apps.

django-admin-bootstrapped A Django admin theme using Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed ap

1.6k Dec 28, 2022
Sandwich Batch Normalization

Sandwich Batch Normalization Code for Sandwich Batch Normalization. Introduction We present Sandwich Batch Normalization (SaBN), an extremely easy imp

VITA 48 Dec 15, 2022
A cool, modern and responsive django admin application based on bootstrap 5

django-baton A cool, modern and responsive django admin application based on bootstrap 5 Documentation: readthedocs Live Demo Now you can try django-b

Otto srl 678 Jan 01, 2023
Python Crypto Bot

Python Crypto Bot

Michael Whittle 1.6k Jan 06, 2023
Collection of admin fields and decorators to help to create computed or custom fields more friendly and easy way

django-admin-easy Collection of admin fields, decorators and mixin to help to create computed or custom fields more friendly and easy way Installation

Ezequiel Bertti 364 Jan 08, 2023
A platform used with frabit-server and frabit

A platform used with frabit-server and frabit

FrabitTech 1 Mar 03, 2022
Drop-in replacement of Django admin comes with lots of goodies, fully extensible with plugin support, pretty UI based on Twitter Bootstrap.

Xadmin Drop-in replacement of Django admin comes with lots of goodies, fully extensible with plugin support, pretty UI based on Twitter Bootstrap. Liv

差沙 4.7k Dec 31, 2022
Django app that enables staff to log in as other users using their own credentials.

Impostor Impostor is a Django application which allows staff members to login as a different user by using their own username and password. Login Logg

Andreu Vallbona Plazas 144 Dec 13, 2022
DyStyle: Dynamic Neural Network for Multi-Attribute-Conditioned Style Editing

DyStyle: Dynamic Neural Network for Multi-Attribute-Conditioned Style Editing

74 Dec 03, 2022
A new style for Django admin

Djamin Djamin a new and clean styles for Django admin based in Google projects styles. Quick start Install djamin: pip install -e git://github.com/her

Herson Leite 236 Dec 15, 2022
With Django Hijack, admins can log in and work on behalf of other users without having to know their credentials.

Django Hijack With Django Hijack, admins can log in and work on behalf of other users without having to know their credentials. Docs 3.x docs are avai

1.2k Jan 02, 2023
A jazzy skin for the Django Admin-Interface (official repository).

Django Grappelli A jazzy skin for the Django admin interface. Grappelli is a grid-based alternative/extension to the Django administration interface.

Patrick Kranzlmueller 3.4k Dec 31, 2022
Extendable, adaptable rewrite of django.contrib.admin

django-admin2 One of the most useful parts of django.contrib.admin is the ability to configure various views that touch and alter data. django-admin2

Jazzband 1.2k Dec 29, 2022
BitcartCC is a platform for merchants, users and developers which offers easy setup and use.

BitcartCC is a platform for merchants, users and developers which offers easy setup and use.

BitcartCC 270 Jan 07, 2023