Managing Users in the Admin

If you remember from the beginning of the chapter, Django’s built-in authentication system is added to the admin interface when you create a new project. With the admin you can:

  • Add and delete users
  • Edit existing users
  • Reset user passwords
  • Assign staff and/or superuser status to a user
  • Add or remove user permissions
  • Create user groups; and
  • Add users to a group

The superuser we created earlier has full access to all models in the admin and can add, change, and delete any model record. In a real application, you will want to limit the number of users who have full access to your site.

Adding a new user is easy—go to the admin index page and click the green plus sign on the right of the Users entry on the admin home page. Enter a username and password and click save to add the new user.

Return to the admin home page and click Users to open the user change list (Figure 7-12). Click on the username to open the user edit screen.

Managing Users in the Admin - 图1

Figure 7-12: Select the new user from the user change list to edit the user’s details.

At the top of the user edit screen, you will see options to edit the user’s password and personal info. Scroll down to the Permissions section and make sure “Staff status” is checked and “Superuser status” is unchecked (Figure 7-13).

Managing Users in the Admin - 图2

Figure 7-13: Create a normal admin user (non-superuser) by making sure they are active and have staff status, but don’t have superuser status.

What we have created here is considered a normal admin user. Normal admin users (active, non-superuser staff members) are granted admin access through assigned permissions. Each object editable through the admin interface (e.g., events and venues) has four permissions: a create permission, a view permission, an edit permission, and a delete permission.

Assigning permissions to a user grants the user access to do what is described by those permissions. When you create a user, they have no permissions. It’s up to you to give the user-specific permissions.

We will do that now—we will create a staff user who has permission to add and edit events, but not to delete them. Scroll down the edit page to the User permissions panel and add the following permissions using the horizontal filter (Figure 7-14):

  1. events | event | Can add event
  2. events | event | Can change event

Managing Users in the Admin - 图3

Figure 7-14: Add permissions to the user by selecting in the horizontal filter and adding to the list. Make multiple selections by holding down the CTRL key (Command on a Mac).

Once you have added the permissions, log out and log back in as the new user. The admin dashboard will now only show the events app, hiding all the other models that the user doesn’t have permission to access (Figure 7-15).

Managing Users in the Admin - 图4

Figure 7-15: The new user’s permission setting limits their admin access to the events app. If you open an event, you will also notice the delete button is hidden as they don’t have delete permission.

This is pretty straightforward, but what if you have many staff members who need permission to add and edit events? It’s time-consuming to add permissions one at a time to each user. Luckily, Django allows you to create user groups, which is simply a group of permissions that can be added to a user simultaneously, rather than one at a time.

Let’s create an “Event Admin” group. You will first have to log out as the staff user and log back in as the superuser.

Creating a group is like creating a user: go to the admin index page, click the green Add button to the right of the Groups listing, and name your new group “Event Admin”. Then, add the permissions from the horizontal filter and save your new group (Figure 7-16).

Managing Users in the Admin - 图5

Figure 7-16: Create a user group and add event add and change permissions to the group using the horizontal filter. Make multiple selections by holding down the CTRL key (Command key on a Mac).

Once you have added the group, you can go back to the user and edit their permissions to add the new group (Figure 7-17).

Managing Users in the Admin - 图6

Figure 7-17: Adding a user to a group assigns all the group’s permissions to the user.

Don’t forget to delete the permissions you assigned previously to prevent any permission clashes later. Save the user, and now, when you log out and log back in again as the staff user, they will have the same restricted view of the admin as we saw in Figure 7-15.

Changing Passwords

As a security measure, Django doesn’t store raw passwords, so it’s impossible to retrieve a password. A user can change their password, but they have to be logged in first.

So how do you reset a password if the user has forgotten it?

The default admin configuration only allows an admin, or someone with permission to edit users, to reset a password by using the password reset form link on the user edit form (Figure 7-18).

Managing Users in the Admin - 图7

Figure 7-18: Default way to reset a user’s password.

Obviously, we don’t want to require an admin to log in and manually reset user passwords each time someone forgets their password.

Giving staff users permission to edit a user record is not practical either because giving anyone edit user permissions will allow them to edit all users (effectively turning them into a superuser).

Thankfully, Django has a password reset feature built in; we just have to turn it on. Make the following modifications to your site urls.py file (changes in bold):

  1. # \myclub_root\myclub_site\urls.py
  2. 1 from django.contrib import admin
  3. 2 from django.urls import include, path
  4. 3 from django.contrib.auth import views as auth_views
  5. 4
  6. 5 urlpatterns = [
  7. 6 path('admin/', admin.site.urls),
  8. 7 path(
  9. 8 'admin/password_reset/',
  10. 9 auth_views.PasswordResetView.as_view(),
  11. 10 name='admin_password_reset',
  12. 11 ),
  13. 12 path(
  14. 13 'admin/password_reset/done/',
  15. 14 auth_views.PasswordResetDoneView.as_view(),
  16. 15 name='password_reset_done',
  17. 16 ),
  18. 17 path(
  19. 18 'reset/<uidb64>/<token>/',
  20. 19 auth_views.PasswordResetConfirmView.as_view(),
  21. 20 name='password_reset_confirm',
  22. 21 ),
  23. 22 path(
  24. 23 'reset/done/',
  25. 24 auth_views.PasswordResetCompleteView.as_view(),
  26. 25 name='password_reset_complete',
  27. 26 ),
  28. 27 path('', include('events.urls')),
  29. 28 ]

On line 3, we import the authentication views from django.contrib.auth and add four new path statements to our site URLs (lines 7, 12, 17, and 22). Once Django detects a URL named admin_password_reset, it will automatically add a password reset link to the login form (Figure 7-19).

Managing Users in the Admin - 图8

Figure 7-19: Adding the authentication views to your site URLs enables the password reset feature of the login form.

Note we’ve only enabled the link, you would need to set up an email backend for the reset link to actually work.