1

In my Django app a user can register to the site and receive staff_user privileges from the admin. After that the staff user can create and manage some other users (normal users) using default django admin site. Now, I would like to let the staff user see and manage only the users he created from the admin site, I don't want him to see other users created by another staff user.

how can I do that? I imagine I need to modify admin.py right?

avafab
  • 1,601
  • 3
  • 20
  • 38

2 Answers2

1

Don't modify the admin site.

In general, you have the following tools available:

  • Create groups
  • Add users to groups
  • Create custom permissions on your models, to indicate certain actions

https://docs.djangoproject.com/en/1.4/topics/auth/#custom-permissions

However, what you are asking: Now, I would like to let the staff user see and manage only the users he created from the admin site is not possible in django-admin.

The Django-admin site is only intended as a glorified development tool for fully trusted users, not as a customizable app for end users.

If your project requires an admin site with any of the following ...

  • Customized administraion functionality.
  • Exposure to any user that is not completely trusted.

... then I'm afraid you have to create your own custom app.

thnee
  • 5,817
  • 3
  • 27
  • 23
  • Ok I made a group and put some staff_users there with the permission to create other users. When I log in as a staff_user and I go to the users view in the admin I see also the normal users created by other staff users, I don't want this. how to hide the users I'm creating to other staff users? – avafab Apr 10 '13 at 17:28
  • do not us is_staff use is_admin feature for this. – karthikr Apr 10 '13 at 17:50
  • I was able to show to a staff user only their own Entries butI don't understand why I cannot show to him also his own users.. myabe I need to create an extra field to the user model to link the user with his creator (the staff user)? – avafab Apr 10 '13 at 18:12
  • If you are using django 1.5 it's possible to use your own User object, but that still won't change the current functionality available in the django admin app. "The admin is not your app". – thnee Apr 11 '13 at 08:46
0

You can replace the stock UserAdmin with your own which overrides queryset() and does the filtering. The bigger issue is what to filter by. The default User model does not store a "created_by" in the model instance. So you would need to add this information whenever a User is added.

How best to do this depends on your Django version. Django 1.5 introduced a "Configurable User model" which makes this very easy. https://docs.djangoproject.com/en/dev/releases/1.5/#configurable-user-model

In earlier versions you would either have to monkeypatch the User model, or store that information in a separate "user profile" attached 1:1 to the User. https://docs.djangoproject.com/en/dev/topics/auth/customizing/#extending-the-existing-user-model

Regarding the trusting of users (which wasn't a topic but I feel the need to comment on thnee's answer) in the Django admin, check out the links in my answer here: Should I use Django's Admin feature?

Community
  • 1
  • 1
Danny W. Adair
  • 12,498
  • 4
  • 43
  • 49