"Log in as user" for the Django admin.

Overview

django-loginas

About

"Login as user" for the Django admin.

Build Status PyPI version

loginas supports Python 3 only, as of version 0.4. If you're on 2, use 0.3.6.

Installing django-loginas

  • Add loginas to your Python path, or install using pip: pip install django-loginas

  • Add the loginas app to your INSTALLED_APPS:

    # settings.py
    INSTALLED_APPS = [... 'loginas', ...]
  • Add the loginas URL to your urls.py:

    # urls.py
    urlpatterns += path("admin/", include('loginas.urls')),
  • If you're using a custom User model, you'll need to add the template to it so the button shows up:

    # admin.py
    class YourUserAdmin(ModelAdmin):
        change_form_template = 'loginas/change_form.html'

At this point, you should be good to go. Just visit the Django admin, navigate to a user and you should see the "Log in as user" button at the top right of the screen.

Configuring

At this point, the only users who will be able to log in as other users are those with the is_superuser permission. If you use custom User models, and haven't specified that permission, or if you want to change which users are authorized to log in as others, you can define the CAN_LOGIN_AS setting, like so:

# settings.py

# This will only allow admins to log in as other users:
CAN_LOGIN_AS = lambda request, target_user: request.user.is_superuser

# This will only allow admins to log in as other users, as long as
# those users are not admins themselves:
CAN_LOGIN_AS = lambda request, target_user: request.user.is_superuser and not target_user.is_superuser

# You can also define a string path to a module:
CAN_LOGIN_AS = "utils.helpers.custom_loginas"

By default, clicking "Login as user" will send the user to settings.LOGIN_REDIRECT_URL. You can override this behavior like so:

# settings.py

LOGINAS_REDIRECT_URL = '/loginas-redirect-url'

In order to automatically restore the original user upon log out, replace the default log out with a special log out that restores the original login session from a signed session.

# settings.py

from django.core.urlresolvers import reverse_lazy
LOGOUT_URL = reverse_lazy('loginas-logout')

Additionally, you can specify the redirect url for logout (the default is settings.LOGIN_REDIRECT_URL).

# settings.py

from django.core.urlresolvers import reverse_lazy
LOGINAS_LOGOUT_REDIRECT_URL = reverse_lazy('admin:index')

By default, clicking "Login as user" will not update user.last_login. You can override this behavior like so:

# settings.py

LOGINAS_UPDATE_LAST_LOGIN = True

By default, the login switch message will use the User model's USERNAME_FIELD. You can override this behavior by passing in a different field name:

# settings.py

LOGINAS_USERNAME_FIELD = 'email'

Other implementation suggestions

Existing logout view?

If you already have a logout view, you can modify to login the original user again after having had a "login as" session. Here's an example:

class LogoutView(LogoutView):
    template_name = 'myapp/logged_out.html'

    @method_decorator(never_cache)
    def dispatch(self, request, *args, **kwargs):
        from loginas.utils import restore_original_login
        restore_original_login(request)
        return redirect('myapp:login')

Template awareness

You can add the context processor loginas.context_processors.impersonated_session_status in your settings.py file if you'd like to be able to access a variable is_impersonated_session in all your template contexts:

# settings.py

TEMPLATES = [
    {
        ...
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                ...
                'loginas.context_processors.impersonated_session_status',
            ],
        },
    },
]

Note that django-loginas won't let you log in as other superusers, to prevent privilege escalation from staff users to superusers. If you want to log in as a superuser, first demote them to a non-superuser, and then log in.

License

This software is distributed under the BSD license.

Comments
  • loginas doesn't work if the authentication backend doesn't have `get_user` method

    loginas doesn't work if the authentication backend doesn't have `get_user` method

    django-loginas does not work with django-rules as an Authentication Backend.

    We use django-rules to specify custom authentication rules. As a result, we have this in our settings:

    AUTHENTICATION_BACKENDS = (
        'rules.permissions.ObjectPermissionBackend',
        'django.contrib.auth.backends.ModelBackend',
    )
    

    However, rules.permissions.ObjectPermissionBackend does not specify a get_user method (as seen here). Even though, the Django documentation says that each backend must implement a get_user method, apparently this is not enforced (!?). This was discussed in a django-rules issue here: https://github.com/dfunckt/django-rules/issues/46

    The reason why I believe this is not enforced is because they made some changes in the behavior of force_login (https://code.djangoproject.com/ticket/27542#ticket).

    A quick workaround would be to check if the authentication backend has a get_user method. If not, then continue.

    Does this make sense?

    opened by bbirand 13
  • Don't allow login as other staff users

    Don't allow login as other staff users

    For audit-ability, I don't want superusers to be able to authenticate as other staff users (especially not as other superusers).

    One (or more) of these could work:

    1. Completely disallow logging in as other staff users
    2. Add a setting that when enabled will disallow logging in as other staff users
    3. Add a setting allowing certain user groups to be excluded from the loginas feature
    4. Add a setting restricting the loginas feature to certain user groups
    opened by treyhunner 12
  • Feature Suggestion: Go back to being original user.

    Feature Suggestion: Go back to being original user.

    Nice job thanks!

    You're already storing the original user.pk in the session, it would be great to be able to go back to being who you were without logging out. If there's no objection I'd be happy to add a view for that.

    Then perhaps a context processor to put html for a button in the context when the user is being impersonated. It would be up to the application developer to decide where to place the button so that anyone will be able to see it, since that would vary for every application.

    opened by benmehlman 10
  • Doesn't work with Django 3.0

    Doesn't work with Django 3.0

    Tried the latest django-loginas (master branch of this repo) and got this error:

      File "<frozen importlib._bootstrap>", line 994, in _gcd_import
      File "<frozen importlib._bootstrap>", line 971, in _find_and_load
      File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
      File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
      File "<frozen importlib._bootstrap_external>", line 678, in exec_module
      File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
      File "/Users/mmalysh/Development/mining-website/kryptex/config/urls.py", line 57, in <module>
        url(r'^adminium/', include('loginas.urls')),
      File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/django/urls/conf.py", line 34, in include
        urlconf_module = import_module(urlconf_module)
      File "/Users/mmalysh/.pyenv/versions/3.6.9/lib/python3.6/importlib/__init__.py", line 126, in import_module
        return _bootstrap._gcd_import(name[level:], package, level)
      File "<frozen importlib._bootstrap>", line 994, in _gcd_import
      File "<frozen importlib._bootstrap>", line 971, in _find_and_load
      File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
      File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
      File "<frozen importlib._bootstrap_external>", line 678, in exec_module
      File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
      File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/loginas/urls.py", line 2, in <module>
        from loginas.views import user_login, user_logout
      File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/loginas/views.py", line 5, in <module>
        from django.utils import six
    ImportError: cannot import name 'six'
    
    opened by maxmalysh 7
  • Feat/admin log entry

    Feat/admin log entry

    Added automatic admin-log-entries like "User X logged in as User Y", added optional context_processor to get the impersonation status in all templates and updated the ReadMe for it.

    opened by lggwettmann 7
  • Feature Idea: view decorator to prompt for login as a different user

    Feature Idea: view decorator to prompt for login as a different user

    Here's the use case:

    1. Staff user logs into admin site
    2. Staff user navigates to Post model's page
    3. Staff user clicks "View on Site"
    4. The post is private so a page is shown to admin user presenting a list of users to re-authenticate as
    5. Staff member selects a user to re-authenticate as and is logged in and redirected to the page
    opened by treyhunner 7
  • Modernize Django URL's

    Modernize Django URL's

    Fixes this warning:

    .../python3.9/site-packages/loginas/urls.py:6: RemovedInDjango40Warning: django.conf.urls.url() is deprecated in favor of django.urls.re_path().
        url(r"^logout/$", user_logout, name="loginas-logout"),
    

    And uses the new path syntax added in Django 2.0

    opened by adamchainz 5
  • Added possibility login as superusers

    Added possibility login as superusers

    Added option CAN_LOGIN_IN_SUPERUSER If CAN_LOGIN_IN_SUPERUSER == True -> you can login as in superuser If CAN_LOGIN_IN_SUPERUSER == False -> you can't login as in superuser By default you can't

    opened by axsapronov 5
  • Configurable logout redirect url via LOGINAS_LOGOUT_REDIRECT_URL

    Configurable logout redirect url via LOGINAS_LOGOUT_REDIRECT_URL

    When admin logging out from delegated session we might want to take user back to admin pages this now can be accomplished by setting var LOGINAS_LOGOUT_REDIRECT_URL instead of always redirecting user back to settings.LOGIN_REDIRECT_URL

    # settings.py
    
    from django.core.urlresolvers import reverse_lazy
    LOGINAS_LOGOUT_REDIRECT_URL = reverse_lazy('admin:index')
    
    opened by intellisense 5
  • permissions required to see the log in as button?

    permissions required to see the log in as button?

    Hi,

    What is actually required to display the "log in as" button? I have a user that is in a group A that has the change permission on user but the button is not displayed. I tried to give all the permissions to this group and it did not change anything. Only when I set the user as a super user, he can see the button. Is it required to be a super user to see the "log in as" button?

    Thanks

    opened by YAmikep 5
  • Is there a way to know we are logging in via this method?

    Is there a way to know we are logging in via this method?

    Hi,

    Is there a way to know we are logging in via this method? For example, I do not want the analytics to be triggered on the pages if an admin logs in as a user to check something.

    Thanks

    opened by YAmikep 5
  • Add

    Add "reason" for logging in

    For compliance reasons it might be nice to add a reason for logging in as a user, for example to add a link to the internal support ticket. Just a TextField that gets added to the django admin history would be great.

    opened by timgl 0
  • ImproperlyConfigured if target user is inactive

    ImproperlyConfigured if target user is inactive

    Hello, The default implementation of django.contrib.auth.backends.ModelBackend.get_user prevents inactive users to logging in since Django 1.10 (see user_can_authenticate). I do believe this error should't be critical since you could fix it without updating project configuration and better showing warning / error message instead. How about allow throwing custom exception in can_login_as with the reason why you can't log in as a target user and showing it to the authenticated user in this case?

    opened by pacahon 9
  • django.contrib.admin is required

    django.contrib.admin is required

    It appears as though the loginas app has an undocumented dependency on the django.contrib.admin app in utils.py

    Traceback (most recent call last):                                                                                                                 
    [...]                                                                  
      File "/app/project/apps/accounts/urls.py", line 4, in <module>                                                                                   
        from loginas.views import user_login                                                                                                           
      File "/usr/local/lib/python3.7/site-packages/loginas/views.py", line 11, in <module>                                                             
        from .utils import login_as, restore_original_login                                                                                            
      File "/usr/local/lib/python3.7/site-packages/loginas/utils.py", line 7, in <module>                                                              
        from django.contrib.admin.models import CHANGE, LogEntry                                                                                       
      File "/usr/local/lib/python3.7/site-packages/django/contrib/admin/models.py", line 39, in <module>                                               
        class LogEntry(models.Model):                                                                                                                  
      File "/usr/local/lib/python3.7/site-packages/django/db/models/base.py", line 111, in __new__                                                     
        "INSTALLED_APPS." % (module, name)                                                                                                             
    RuntimeError: Model class django.contrib.admin.models.LogEntry doesn't declare an explicit app_label and isn't in an application in INSTALLED_APPS.
    

    I believe this could be corrected by testing whether the admin is installed or not, and skipping trying to create the LogEntry if isn't installed. If that makes sense, I can submit a patch to make this change.

    opened by notanumber 2
  • Send user_id with POST

    Send user_id with POST

    Sorry for my English.

    I'm trying to add "Login as" buttons to admin changelist and faced with the complexity associated with the fact that user_id passed via URL. If you will pass it as POST parameter, you will have the opportunity to use single form with multiple buttons like this: <button form="loginas-form" name="user_id" value="{{ user.id }}">Login as {{ user.username }}</button>

    opened by pix666 2
  • Fix translations in wheel files, build translations on build, remove .mo files

    Fix translations in wheel files, build translations on build, remove .mo files

    Hi,

    sorry to bother you again, but nor the WHL file, neither the sdist .tar.gz for 0.3.3 contain the translations.

    Also, they weren't build on install.

    So, I added that to setup.py.

    Also, we need only .po files with translations, as .mo files are being built before the build stage. So I removed .mo files from git and added them to .gitignore .

    I'd love you to review the changes, eventually commit them and create 0.3.4 release. Thanks.

    opened by mpasternak 1
Releases(v0.3.8)
Owner
Stavros Korokithakis
I love writing code, making stupid devices and writing about writing code and making stupid devices.
Stavros Korokithakis
The script that able to find admin panels

admin_panel_finder The script will try to request possible admin panels by reading possible admin panels url then report as 200 YES or 404 NO usage: p

E-Pegasus 3 Mar 09, 2022
Drop-in replacement of Django admin comes with lots of goodies, fully extensible with plugin support, pretty UI based on Twitter Bootstrap.

Xadmin Drop-in replacement of Django admin comes with lots of goodies, fully extensible with plugin support, pretty UI based on Twitter Bootstrap. Liv

差沙 4.7k Dec 31, 2022
Material Design for Django

Django Material Material design for Django. Django-Material 1.7.x compatible with Django 1.11/2.0/2.1/2.2/3.0/3.1 Django-Material 1.6.x compatible wit

Viewflow 2.5k Jan 01, 2023
aiohttp admin is generator for admin interface based on aiohttp

aiohttp admin is generator for admin interface based on aiohttp

Mykhailo Havelia 17 Nov 16, 2022
A jazzy skin for the Django Admin-Interface (official repository).

Django Grappelli A jazzy skin for the Django admin interface. Grappelli is a grid-based alternative/extension to the Django administration interface.

Patrick Kranzlmueller 3.4k Dec 31, 2022
Material design for django administration

Django Material Administration Quick start pip install django-material-admin Add material.admin and material.admin.default to your INSTALLED_APPS sett

Anton 279 Jan 05, 2023
EOD (Easy and Efficient Object Detection) is a general object detection model production framework.

EOD (Easy and Efficient Object Detection) is a general object detection model production framework.

383 Jan 07, 2023
Lazymux is a tool installer that is specially made for termux user which provides a lot of tool mainly used tools in termux and its easy to use

Lazymux is a tool installer that is specially made for termux user which provides a lot of tool mainly used tools in termux and its easy to use, Lazymux install any of the given tools provided by it

DedSecTL 1.8k Jan 09, 2023
Django app that enables staff to log in as other users using their own credentials.

Impostor Impostor is a Django application which allows staff members to login as a different user by using their own username and password. Login Logg

Andreu Vallbona Plazas 144 Dec 13, 2022
Modern theme for Django admin interface

Django Suit Modern theme for Django admin interface. Django Suit is alternative theme/skin/extension for Django administration interface. Project home

Kaspars Sprogis 2.2k Dec 29, 2022
Firebase Admin Console is a centralized platform for easy viewing and maintenance of Firestore database, the back-end API is a Python Flask app.

Firebase Admin Console is a centralized platform for easy viewing and maintenance of Firestore database, the back-end API is a Python Flask app. A starting template for developers to customize, build

Daqi Chen 1 Sep 10, 2022
Allow foreign key attributes in list_display with '__'

django-related-admin Allow foreign key attributes in Django admin change list list_display with '__' This is based on DjangoSnippet 2996 which was mad

Petr Dlouhý 62 Nov 18, 2022
Extendable, adaptable rewrite of django.contrib.admin

django-admin2 One of the most useful parts of django.contrib.admin is the ability to configure various views that touch and alter data. django-admin2

Jazzband 1.2k Dec 29, 2022
Freqtrade is a free and open source crypto trading bot written in Python

Freqtrade is a free and open source crypto trading bot written in Python. It is designed to support all major exchanges and be controlled via Telegram. It contains backtesting, plotting and money man

20.2k Jan 02, 2023
A user-friendly JSON editing form for Django admin

A user-friendly JSON editing form for Django admin

Bharat Chauhan 141 Dec 30, 2022
Legacy django jet rebooted , supports only Django 3

Django JET Reboot Rebooting the original project : django-jet. Django Jet is modern template for Django admin interface with improved functionality. W

215 Dec 31, 2022
Jazzy theme for Django

Django jazzmin (Jazzy Admin) Drop-in theme for django admin, that utilises AdminLTE 3 & Bootstrap 4 to make yo' admin look jazzy Installation pip inst

David Farrington 1.2k Jan 08, 2023
Tornadmin is an admin site generation framework for Tornado web server.

Tornadmin is an admin site generation framework for Tornado web server.

Bharat Chauhan 0 Jan 10, 2022
Python books free to read online or download

Python books free to read online or download

Paolo Amoroso 3.7k Jan 08, 2023
Modern theme for Django admin interface

Django Suit Modern theme for Django admin interface. Django Suit is alternative theme/skin/extension for Django administration interface. Project home

Kaspars Sprogis 2.2k Dec 29, 2022