1

I'm currently learning about web development using Django and something I thought about but can't seem to find a solution to is how to make the admin page of the web app accessible to developers but not to the users of the app while it is hosted on something like Azure or AWS.

The idea is to have an admin page so the developers can see what is going on and manage what needs to be managed, but not allow the clients to reach the login page to the admin interface.

Luiz Manella
  • 11
  • 2
  • you can add validation to the specific users of admin classes – HERAwais Sep 30 '19 at 04:47
  • something like this username = form.cleaned_data.get("username") password = form.cleaned_data.get("password") user = authenticate(username=username, password=password) if user.id == 22: login(request,user) – HERAwais Sep 30 '19 at 04:48
  • 1
    @luiz you can set `is_staff=True` for the developers. – Nalin Dobhal Sep 30 '19 at 05:28
  • Depending on what you want to manage you can also modify the standard admin page - if you need more managing options you can create custom User Models with different rights and then check those rights either with user.is_staff or is_admin or with decorators(i like that solution better since it looks cleaner and works like checking is_staff manually - https://stackoverflow.com/questions/5833184/django-is-staff-permission-decorator) – ItsMeTheBee Sep 30 '19 at 06:46

1 Answers1

0

Only users with is_admin flag set are able to login to admin - https://docs.djangoproject.com/en/2.2/ref/contrib/auth/#django.contrib.auth.models.User.is_staff. And also you might want to change admin url from default /admin to something else, so that only people who knows exact url could access admin login page. Like this:

# urls.py

urlpatterns = [
    path('some-url-that-is-hard-to-guess/', admin.site.urls),
    ...
]

UPD

Changing admin URL is one of recommended measures. If you want more, check out, for example, - https://opensource.com/article/18/1/10-tips-making-django-admin-more-secure

Eugene Prikazchikov
  • 1,794
  • 1
  • 13
  • 11
  • This is more in the lines of what I was thinking. Is it standard practice to have just a really difficult url path that people aren't going to be able to guess for the admin url? – Luiz Manella Sep 30 '19 at 18:59
  • This is one of recommended measures. If you want more, check out, for example, - https://opensource.com/article/18/1/10-tips-making-django-admin-more-secure – Eugene Prikazchikov Sep 30 '19 at 19:55
  • Thanks! That's exactly what I was looking for :) – Luiz Manella Oct 01 '19 at 05:25