0

I've disabled authentication for Django admin panel as described here.
I would like to go further and completely skip django.contrib.auth migrations like users or groups tables.

I've tried to remove django.contrib.auth from INSTALLED_APP and then I got error like below:

RuntimeError: Model class django.contrib.auth.models.Permission doesn't declare an explicit app_label and isn't in an application in INSTALLED_APPS.

Is there any way to use Django admin panel without migrating django.contrib.auth migrations?

Mateusz
  • 219
  • 2
  • 13

2 Answers2

0

Short answer : No

Long answer : From a security standpoint there is absolutely no reason to ever do that, you will make your database open to everyone, with personal information.

Fortunately Django is smart enough to not let anyone do that and the requirements for the administration requires the auth middleware and the django.contrib.auth dependencies.

Again, you should not do that, you could tweak the Django framework and that could work, but you will need to write a lot of boilerplate and most package won't work.

If you want to update your authentication backend Django make it pretty easy to do so : https://docs.djangoproject.com/en/4.1/topics/auth/customizing/

But be aware that would still need at least one auth backend for the admin to work.

Gaëtan GR
  • 1,380
  • 1
  • 5
  • 21
  • Logic for authentication and authorization is moved to another service (gateway). If one gets to that link leading to the admin panel I assume they have the required permissions.In addition, the application will not store any user data, therefore i want to skip `django.contrib.auth` migrations. – Mateusz Sep 09 '22 at 06:31
  • Even if you have a gateway you still need a way to authenticate the user and the administration requires it, so in order to remove the django.contrib.auth you will need to write your own authentification backend, but still, I don't understand why some would want to do that. You could instead use an api token to authenticate your users and write some sort of autologin, but you will, again, need a authentication backend – Gaëtan GR Sep 09 '22 at 06:39
  • See updated answer – Gaëtan GR Sep 09 '22 at 06:40
  • That is correct, but authentication and authorization process is handled in `gateway` service. Idea is, that this django app knows nothing about tokens or users, everyone who gets the url to this django service is already authorizated and this django service should not authenticate user. I'm aware, that i need kind of custom authentication backend, but I was looking for kind of example of it without `django.contrib.auth` features. It seems that I need to return user instance, which will not work in my case. Moreover, `admin` returns permissions exception, upper error. – Mateusz Sep 09 '22 at 07:01
0

django admin (django.contrib.admin) is tightly coupled with django.contrib.auth. I didn't find a way to use use admin panel without auth app.

Nevertheless, I've found a solution, which met my expectations. I've set has_permission attribute of admin.site to True, as described here.
Next, I've unregistered Group and User models from admin panel as described here. It's not clean solution, since django.contrib.auth migrations are still run, but normal user will not notice.

Mateusz
  • 219
  • 2
  • 13