Allow staff users to use Django Admin to manage users only for specific group

Website is using Django Admin.

There is account named admin which is superuser.
Then there is group called editors which has permissions to add, change and/or view some of the models.
Users in group editors are staff accounts, they can login to Django Admin.

Now I would like to create new group regular_users with users who:

  • cannot login to Django Admin
  • can login to website to see specific content

Users from editors group:

  • must be able to add or change users for group regular_users using Django Admin,
  • must NOT be able to add or change any other users (outside regular_users group) !

How could I achieve that ?

I’ll start out with my oft-repeated refrain on this topic, copied directly from the docs:

… The admin’s recommended use is limited to an organization’s internal management tool. It’s not intended for building your entire front end around.

… If you need to provide a more process-centric interface that abstracts away the implementation details of database tables and fields, then it’s probably time to write your own views.

The reason I repeatedly reference these snippets from the docs is that I’ve seen multiple cases where people start with using the admin - then find they need to keep extending it into areas it was never designed to go. In the long run, they end up spending a lot more time trying to tweak the admin to do things “just right” - and write more code in the process - than if they just started out with their own views.

Yes, you can create custom ModelAdmin and Form classes that do this. And if you are absolutely 100% sure that you will never need to extend the functionality beyond this point, you’re probably ok.

On the other hand, creating a couple of views with the associated forms isn’t going to be that much more work and will set you up for later modifications.

So, my recommendation #1 is to not use the Django admin for that. Build your own view for the “editors” group to restrict specifically what they can do with users.

But, if you’re going to use the admin for this, you’re probably going to want to create a custom Form that you can validate upon submission, along with implementing custom has_add_permission, has_change_permission, has_delete_permission, and has_view_permission along with a get_queryset in your ModelAdmin class.

(The issue here is as much about validating what has been submitted as opposed to only limiting what has been rendered on the page. Someone wanting to do something improper can change the rendered page to submit updates to user objects they shouldn’t otherwise be able to change. Therefore, you must validate the permission on the objects when submitted - and that’s the part sometimes ignored when just adding filters to what gets displayed in the admin.)

KenWhitesell said details about the process. I want to share my experience how I handle multiple user type. Create an abstract User model where I have different kind of user then I create group based on user and added permission in groups. I write logic in my registration forms which will add specific user to specific group . Assume I have customer and seller then I will create two separate registration forms for customer and seller. When any user register as customer or seller then he will be added to my customer or seller group then use perm in my html template . If user has perm then he can see the template otherwise not.

I was afraid I would get such answers :slight_smile:.
The trouble is I have no experience with Django Authentication system and was hoping to somehow “improvise” with Django Admin.
Thanks anyway!