Hidden data to django admin

How can I hide data for a superuser, when you deployed your application in Heroku or any cloud provider, you can see what others people posted in your application by visiting admin page via: www.example.com/admin. I don’t like superuser to be able see or change anything that is created from others people, I want those data to be hidden only for a superuser, but for those who created those data, I want them to see it and even editing it.

I’m trying to use: django-cryptography, but it wasn’t supported Django==4.1.5. How can I hide those data Specifically for a superuser

class PrimaryAlbum(models.Model):
    name = models.CharField(max_length=100)
    user = models.ForeignKey(User,
    on_delete=models.CASCADE)

    slug = models.SlugField(unique=True, max_length=100)


    def save(self, *args, **kwargs):
        self.slug = slugify(self.name)
        super().save(*args, **kwargs)
    

    def __str__(self):
        return self.name

Checkout the admin docs for the has_foo_permission where foo is some of the permissions: view, change, delete, add.

1 Like

You do this by greatly restricting access to the superuser account. There should never be more than two people (possibly three in a sufficiently-large organization) having the password for that account.

The superuser account bypasses all authority tests within the admin - by design. It is your “account of last resort”.

The mistake is getting into the habit of routinely using that account, when in reality, other “is_staff” accounts should be created and used for normal purposes when access to the admin is required.

The other big mistake is assuming that the admin is something that you would ever voluntarily expose to an external entity.

From the docs:

The admin’s recommended use is limited to an organization’s internal management tool. It’s not intended for building your entire front end around.

(Note: Even django-cryptography is not going to hide the data from the superuser account.)

1 Like

That’s means the superuser can be able to see or manage everything from the admin page no matter what django package is I used?

I also wonder why:

The admin’s recommended use is limited to an organization’s internal management tool. It’s not intended for building your entire front end around

Correct. That’s the purpose of the superuser account.

Because it’s not designed to be anything other than that. That’s all explained in the referenced docs.

1 Like