So all I’m trying to do is restrict login to users in the admin page . and while enable login to custom admin page i built in a simpler manner. So if i select is_staff they get access to both pages admin and custom admin. Not sure if there is a simpler way to this besides all the coding on permission and assigning them groups for views etc, i have experimented with this and works somewhat but it seems like an overkill when all i should have been doing is just preventing them from logging into main admin… So in a nutshell all i want is to stop them login into main admin while enabling them on a custom admin site i built.
My opinion would be that is_staff should be reserved for access to the Django admin app. If you’ve got pages that need to be access-controlled, then yes, groups and permission is the appropriate mechanism. Note - you don’t need to create a large number of individual permissions for each view within your site. You can create a custom permission called “user admin” and test for that across every view.
Keep in mind that people do not “log on” to a page or app. They log on to your site. All the different urls are managed through the single set of credentials used when logging on. The Django admin facility has the additional feature that, if you access a page in the admin url structure, it’ll present a custom login page. This does not mean that you are logging on to that app.
I like this approach because it allows future Django devs to have reasonable assumptions about how the admin works. Breaking from the default functionality is justified, but a part of that cost is losing the consistency with other Django projects which increases the amount of domain knowledge a person needs for your project and slows down on-boarding.
ok, but something seems not right with my app. I was mistaken to assume i could permission the person out even with is_staff set to true . in the default admin panel im using custom user model (AbstractBaseUser) and cant seem to stop anybody who is_staff from editing all objects even when they are not superusers and no permissions given. This should have worked right having is_satff=true and removing all permissions would mean user can login but would see nothing to edit
There is the possibility that you’re encountering a permissions caching situation. After revoking the permissions, you could try restarting your server.
Ok thanks; let me try that and check codes further on permissioning and repost when i get something. Relatively new at this so still feeling my way with these groups and permissions
so first part of the problem is I removed is_staff from those I wanted access to delegated admin (a customized admin site), then had this in the permissioning part basically if the user is active you get access to the customized admin .
def has_permission(self, request):
"""
Checks if the current user has access.
"""
return request.user.is_active
Next - Why were all users still having access to all modules and permission in the customised admin site even when in the admin i had removed it. Probably a newbie mistake , but the codes on official site had below(Customizing authentication in Django | Django documentation | Django)
def has_perm(self, perm, obj=None):
“Does the user have a specific permission?”
# Simplest possible answer: Yes, always
return True
def has_module_perms(self, app_label):
"Does the user have permissions to view the app `app_label`?"
# Simplest possible answer: Yes, always
return True
For permissioning and customising it , gotta to comment the above out. seems simple enough now, but at the start when still a little new with permissions and nothing mentioned much on it , well i guess took a while. Returning true seems to give full access to all users and everything in it.
Any comments on the above ; much appreciated . Thank you
