"Log in as user" for the Django admin.

Overview

django-loginas

About

"Login as user" for the Django admin.

Build Status PyPI version

loginas supports Python 3 only, as of version 0.4. If you're on 2, use 0.3.6.

Installing django-loginas

  • Add loginas to your Python path, or install using pip: pip install django-loginas

  • Add the loginas app to your INSTALLED_APPS:

    # settings.py
    INSTALLED_APPS = [... 'loginas', ...]
  • Add the loginas URL to your urls.py:

    # urls.py
    urlpatterns += path("admin/", include('loginas.urls')),
  • If you're using a custom User model, you'll need to add the template to it so the button shows up:

    # admin.py
    class YourUserAdmin(ModelAdmin):
        change_form_template = 'loginas/change_form.html'

At this point, you should be good to go. Just visit the Django admin, navigate to a user and you should see the "Log in as user" button at the top right of the screen.

Configuring

At this point, the only users who will be able to log in as other users are those with the is_superuser permission. If you use custom User models, and haven't specified that permission, or if you want to change which users are authorized to log in as others, you can define the CAN_LOGIN_AS setting, like so:

# settings.py

# This will only allow admins to log in as other users:
CAN_LOGIN_AS = lambda request, target_user: request.user.is_superuser

# This will only allow admins to log in as other users, as long as
# those users are not admins themselves:
CAN_LOGIN_AS = lambda request, target_user: request.user.is_superuser and not target_user.is_superuser

# You can also define a string path to a module:
CAN_LOGIN_AS = "utils.helpers.custom_loginas"

By default, clicking "Login as user" will send the user to settings.LOGIN_REDIRECT_URL. You can override this behavior like so:

# settings.py

LOGINAS_REDIRECT_URL = '/loginas-redirect-url'

In order to automatically restore the original user upon log out, replace the default log out with a special log out that restores the original login session from a signed session.

# settings.py

from django.core.urlresolvers import reverse_lazy
LOGOUT_URL = reverse_lazy('loginas-logout')

Additionally, you can specify the redirect url for logout (the default is settings.LOGIN_REDIRECT_URL).

# settings.py

from django.core.urlresolvers import reverse_lazy
LOGINAS_LOGOUT_REDIRECT_URL = reverse_lazy('admin:index')

By default, clicking "Login as user" will not update user.last_login. You can override this behavior like so:

# settings.py

LOGINAS_UPDATE_LAST_LOGIN = True

By default, the login switch message will use the User model's USERNAME_FIELD. You can override this behavior by passing in a different field name:

# settings.py

LOGINAS_USERNAME_FIELD = 'email'

Other implementation suggestions

Existing logout view?

If you already have a logout view, you can modify to login the original user again after having had a "login as" session. Here's an example:

class LogoutView(LogoutView):
    template_name = 'myapp/logged_out.html'

    @method_decorator(never_cache)
    def dispatch(self, request, *args, **kwargs):
        from loginas.utils import restore_original_login
        restore_original_login(request)
        return redirect('myapp:login')

Template awareness

You can add the context processor loginas.context_processors.impersonated_session_status in your settings.py file if you'd like to be able to access a variable is_impersonated_session in all your template contexts:

# settings.py

TEMPLATES = [
    {
        ...
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                ...
                'loginas.context_processors.impersonated_session_status',
            ],
        },
    },
]

Note that django-loginas won't let you log in as other superusers, to prevent privilege escalation from staff users to superusers. If you want to log in as a superuser, first demote them to a non-superuser, and then log in.

License

This software is distributed under the BSD license.

Comments
  • loginas doesn't work if the authentication backend doesn't have `get_user` method

    loginas doesn't work if the authentication backend doesn't have `get_user` method

    django-loginas does not work with django-rules as an Authentication Backend.

    We use django-rules to specify custom authentication rules. As a result, we have this in our settings:

    AUTHENTICATION_BACKENDS = (
        'rules.permissions.ObjectPermissionBackend',
        'django.contrib.auth.backends.ModelBackend',
    )
    

    However, rules.permissions.ObjectPermissionBackend does not specify a get_user method (as seen here). Even though, the Django documentation says that each backend must implement a get_user method, apparently this is not enforced (!?). This was discussed in a django-rules issue here: https://github.com/dfunckt/django-rules/issues/46

    The reason why I believe this is not enforced is because they made some changes in the behavior of force_login (https://code.djangoproject.com/ticket/27542#ticket).

    A quick workaround would be to check if the authentication backend has a get_user method. If not, then continue.

    Does this make sense?

    opened by bbirand 13
  • Don't allow login as other staff users

    Don't allow login as other staff users

    For audit-ability, I don't want superusers to be able to authenticate as other staff users (especially not as other superusers).

    One (or more) of these could work:

    1. Completely disallow logging in as other staff users
    2. Add a setting that when enabled will disallow logging in as other staff users
    3. Add a setting allowing certain user groups to be excluded from the loginas feature
    4. Add a setting restricting the loginas feature to certain user groups
    opened by treyhunner 12
  • Feature Suggestion: Go back to being original user.

    Feature Suggestion: Go back to being original user.

    Nice job thanks!

    You're already storing the original user.pk in the session, it would be great to be able to go back to being who you were without logging out. If there's no objection I'd be happy to add a view for that.

    Then perhaps a context processor to put html for a button in the context when the user is being impersonated. It would be up to the application developer to decide where to place the button so that anyone will be able to see it, since that would vary for every application.

    opened by benmehlman 10
  • Doesn't work with Django 3.0

    Doesn't work with Django 3.0

    Tried the latest django-loginas (master branch of this repo) and got this error:

      File "<frozen importlib._bootstrap>", line 994, in _gcd_import
      File "<frozen importlib._bootstrap>", line 971, in _find_and_load
      File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
      File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
      File "<frozen importlib._bootstrap_external>", line 678, in exec_module
      File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
      File "/Users/mmalysh/Development/mining-website/kryptex/config/urls.py", line 57, in <module>
        url(r'^adminium/', include('loginas.urls')),
      File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/django/urls/conf.py", line 34, in include
        urlconf_module = import_module(urlconf_module)
      File "/Users/mmalysh/.pyenv/versions/3.6.9/lib/python3.6/importlib/__init__.py", line 126, in import_module
        return _bootstrap._gcd_import(name[level:], package, level)
      File "<frozen importlib._bootstrap>", line 994, in _gcd_import
      File "<frozen importlib._bootstrap>", line 971, in _find_and_load
      File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
      File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
      File "<frozen importlib._bootstrap_external>", line 678, in exec_module
      File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
      File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/loginas/urls.py", line 2, in <module>
        from loginas.views import user_login, user_logout
      File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/loginas/views.py", line 5, in <module>
        from django.utils import six
    ImportError: cannot import name 'six'
    
    opened by maxmalysh 7
  • Feat/admin log entry

    Feat/admin log entry

    Added automatic admin-log-entries like "User X logged in as User Y", added optional context_processor to get the impersonation status in all templates and updated the ReadMe for it.

    opened by lggwettmann 7
  • Feature Idea: view decorator to prompt for login as a different user

    Feature Idea: view decorator to prompt for login as a different user

    Here's the use case:

    1. Staff user logs into admin site
    2. Staff user navigates to Post model's page
    3. Staff user clicks "View on Site"
    4. The post is private so a page is shown to admin user presenting a list of users to re-authenticate as
    5. Staff member selects a user to re-authenticate as and is logged in and redirected to the page
    opened by treyhunner 7
  • Modernize Django URL's

    Modernize Django URL's

    Fixes this warning:

    .../python3.9/site-packages/loginas/urls.py:6: RemovedInDjango40Warning: django.conf.urls.url() is deprecated in favor of django.urls.re_path().
        url(r"^logout/$", user_logout, name="loginas-logout"),
    

    And uses the new path syntax added in Django 2.0

    opened by adamchainz 5
  • Added possibility login as superusers

    Added possibility login as superusers

    Added option CAN_LOGIN_IN_SUPERUSER If CAN_LOGIN_IN_SUPERUSER == True -> you can login as in superuser If CAN_LOGIN_IN_SUPERUSER == False -> you can't login as in superuser By default you can't

    opened by axsapronov 5
  • Configurable logout redirect url via LOGINAS_LOGOUT_REDIRECT_URL

    Configurable logout redirect url via LOGINAS_LOGOUT_REDIRECT_URL

    When admin logging out from delegated session we might want to take user back to admin pages this now can be accomplished by setting var LOGINAS_LOGOUT_REDIRECT_URL instead of always redirecting user back to settings.LOGIN_REDIRECT_URL

    # settings.py
    
    from django.core.urlresolvers import reverse_lazy
    LOGINAS_LOGOUT_REDIRECT_URL = reverse_lazy('admin:index')
    
    opened by intellisense 5
  • permissions required to see the log in as button?

    permissions required to see the log in as button?

    Hi,

    What is actually required to display the "log in as" button? I have a user that is in a group A that has the change permission on user but the button is not displayed. I tried to give all the permissions to this group and it did not change anything. Only when I set the user as a super user, he can see the button. Is it required to be a super user to see the "log in as" button?

    Thanks

    opened by YAmikep 5
  • Is there a way to know we are logging in via this method?

    Is there a way to know we are logging in via this method?

    Hi,

    Is there a way to know we are logging in via this method? For example, I do not want the analytics to be triggered on the pages if an admin logs in as a user to check something.

    Thanks

    opened by YAmikep 5
  • Add

    Add "reason" for logging in

    For compliance reasons it might be nice to add a reason for logging in as a user, for example to add a link to the internal support ticket. Just a TextField that gets added to the django admin history would be great.

    opened by timgl 0
  • ImproperlyConfigured if target user is inactive

    ImproperlyConfigured if target user is inactive

    Hello, The default implementation of django.contrib.auth.backends.ModelBackend.get_user prevents inactive users to logging in since Django 1.10 (see user_can_authenticate). I do believe this error should't be critical since you could fix it without updating project configuration and better showing warning / error message instead. How about allow throwing custom exception in can_login_as with the reason why you can't log in as a target user and showing it to the authenticated user in this case?

    opened by pacahon 9
  • django.contrib.admin is required

    django.contrib.admin is required

    It appears as though the loginas app has an undocumented dependency on the django.contrib.admin app in utils.py

    Traceback (most recent call last):                                                                                                                 
    [...]                                                                  
      File "/app/project/apps/accounts/urls.py", line 4, in <module>                                                                                   
        from loginas.views import user_login                                                                                                           
      File "/usr/local/lib/python3.7/site-packages/loginas/views.py", line 11, in <module>                                                             
        from .utils import login_as, restore_original_login                                                                                            
      File "/usr/local/lib/python3.7/site-packages/loginas/utils.py", line 7, in <module>                                                              
        from django.contrib.admin.models import CHANGE, LogEntry                                                                                       
      File "/usr/local/lib/python3.7/site-packages/django/contrib/admin/models.py", line 39, in <module>                                               
        class LogEntry(models.Model):                                                                                                                  
      File "/usr/local/lib/python3.7/site-packages/django/db/models/base.py", line 111, in __new__                                                     
        "INSTALLED_APPS." % (module, name)                                                                                                             
    RuntimeError: Model class django.contrib.admin.models.LogEntry doesn't declare an explicit app_label and isn't in an application in INSTALLED_APPS.
    

    I believe this could be corrected by testing whether the admin is installed or not, and skipping trying to create the LogEntry if isn't installed. If that makes sense, I can submit a patch to make this change.

    opened by notanumber 2
  • Send user_id with POST

    Send user_id with POST

    Sorry for my English.

    I'm trying to add "Login as" buttons to admin changelist and faced with the complexity associated with the fact that user_id passed via URL. If you will pass it as POST parameter, you will have the opportunity to use single form with multiple buttons like this: <button form="loginas-form" name="user_id" value="{{ user.id }}">Login as {{ user.username }}</button>

    opened by pix666 2
  • Fix translations in wheel files, build translations on build, remove .mo files

    Fix translations in wheel files, build translations on build, remove .mo files

    Hi,

    sorry to bother you again, but nor the WHL file, neither the sdist .tar.gz for 0.3.3 contain the translations.

    Also, they weren't build on install.

    So, I added that to setup.py.

    Also, we need only .po files with translations, as .mo files are being built before the build stage. So I removed .mo files from git and added them to .gitignore .

    I'd love you to review the changes, eventually commit them and create 0.3.4 release. Thanks.

    opened by mpasternak 1
Releases(v0.3.8)
Owner
Stavros Korokithakis
I love writing code, making stupid devices and writing about writing code and making stupid devices.
Stavros Korokithakis
Django Smuggler is a pluggable application for Django Web Framework that helps you to import/export fixtures via the automatically-generated administration interface.

Django Smuggler Django Smuggler is a pluggable application for Django Web Framework to easily dump/load fixtures via the automatically-generated admin

semente 373 Dec 26, 2022
A modern Python package manager with PEP 582 support.

A modern Python package manager with PEP 582 support.

Python Development Master(PDM) 3.6k Jan 05, 2023
Jet Bridge (Universal) for Jet Admin – API-based Admin Panel Framework for your application

Jet Bridge for Jet Admin – Admin panel framework for your application Description About Jet Admin: https://about.jetadmin.io Live Demo: https://app.je

Jet Admin 1.3k Dec 27, 2022
Sandwich Batch Normalization

Sandwich Batch Normalization Code for Sandwich Batch Normalization. Introduction We present Sandwich Batch Normalization (SaBN), an extremely easy imp

VITA 48 Dec 15, 2022
Modern theme for Django admin interface

Django Suit Modern theme for Django admin interface. Django Suit is alternative theme/skin/extension for Django administration interface. Project home

Kaspars Sprogis 2.2k Dec 29, 2022
A jazzy skin for the Django Admin-Interface (official repository).

Django Grappelli A jazzy skin for the Django admin interface. Grappelli is a grid-based alternative/extension to the Django administration interface.

Patrick Kranzlmueller 3.4k Dec 31, 2022
EOD (Easy and Efficient Object Detection) is a general object detection model production framework.

EOD (Easy and Efficient Object Detection) is a general object detection model production framework.

383 Jan 07, 2023
xarray: N-D labeled arrays and datasets

xarray is an open source project and Python package that makes working with labelled multi-dimensional arrays simple, efficient, and fun!

Python for Data 2.8k Dec 29, 2022
Allow foreign key attributes in list_display with '__'

django-related-admin Allow foreign key attributes in Django admin change list list_display with '__' This is based on DjangoSnippet 2996 which was mad

Petr Dlouhý 62 Nov 18, 2022
Material design for django administration

Django Material Administration Quick start pip install django-material-admin Add material.admin and material.admin.default to your INSTALLED_APPS sett

Anton 279 Jan 05, 2023
PyMMO is a Python-based MMO game framework using sockets and PyGame.

PyMMO is a Python framework/template of a MMO game built using PyGame on top of Python's built-in socket module.

Luis Souto Maior 61 Dec 18, 2022
A jazzy skin for the Django Admin-Interface (official repository).

Django Grappelli A jazzy skin for the Django admin interface. Grappelli is a grid-based alternative/extension to the Django administration interface.

Patrick Kranzlmueller 3.4k Dec 31, 2022
Python books free to read online or download

Python books free to read online or download

Paolo Amoroso 3.7k Jan 08, 2023
With Django Hijack, admins can log in and work on behalf of other users without having to know their credentials.

Django Hijack With Django Hijack, admins can log in and work on behalf of other users without having to know their credentials. Docs 3.x docs are avai

1.2k Jan 02, 2023
A python application for manipulating pandas data frames from the comfort of your web browser

A python application for manipulating pandas data frames from the comfort of your web browser. Data flows are represented as a Directed Acyclic Graph, and nodes can be ran individually as the user se

Schlerp 161 Jan 04, 2023
There is a new admin bot by @sinan-m-116 .

find me on telegram! deploy me on heroku, use below button: If you can't have a config.py file (EG on heroku), it is also possible to use environment

Sinzz-sinan-m 0 Nov 09, 2021
FLEX (Federated Learning EXchange,FLEX) protocol is a set of standardized federal learning agreements designed by Tongdun AI Research Group。

Click to view Chinese version FLEX (Federated Learning Exchange) protocol is a set of standardized federal learning agreements designed by Tongdun AI

同盾科技 50 Nov 29, 2022
A platform used with frabit-server and frabit

A platform used with frabit-server and frabit

FrabitTech 1 Mar 03, 2022
Tornadmin is an admin site generation framework for Tornado web server.

Tornadmin is an admin site generation framework for Tornado web server.

Bharat Chauhan 0 Jan 10, 2022
StyleCLIP: Text-Driven Manipulation of StyleGAN Imagery

StyleCLIP: Text-Driven Manipulation of StyleGAN Imagery

3.3k Jan 01, 2023