I’ll start out with my oft-repeated refrain on this topic, copied directly from the docs:
… The admin’s recommended use is limited to an organization’s internal management tool. It’s not intended for building your entire front end around.
… If you need to provide a more process-centric interface that abstracts away the implementation details of database tables and fields, then it’s probably time to write your own views.
The reason I repeatedly reference these snippets from the docs is that I’ve seen multiple cases where people start with using the admin - then find they need to keep extending it into areas it was never designed to go. In the long run, they end up spending a lot more time trying to tweak the admin to do things “just right” - and write more code in the process - than if they just started out with their own views.
Yes, you can create custom ModelAdmin and Form classes that do this. And if you are absolutely 100% sure that you will never need to extend the functionality beyond this point, you’re probably ok.
On the other hand, creating a couple of views with the associated forms isn’t going to be that much more work and will set you up for later modifications.
So, my recommendation #1 is to not use the Django admin for that. Build your own view for the “editors” group to restrict specifically what they can do with users.
But, if you’re going to use the admin for this, you’re probably going to want to create a custom Form that you can validate upon submission, along with implementing custom has_add_permission
, has_change_permission
, has_delete_permission
, and has_view_permission
along with a get_queryset
in your ModelAdmin class.
(The issue here is as much about validating what has been submitted as opposed to only limiting what has been rendered on the page. Someone wanting to do something improper can change the rendered page to submit updates to user objects they shouldn’t otherwise be able to change. Therefore, you must validate the permission on the objects when submitted - and that’s the part sometimes ignored when just adding filters to what gets displayed in the admin.)