Would be great to have the deprecation warning removed, thanks :)

The version on PyPI is outdated without Py3k support. Perhaps a good idea to make a new release and post this to PyPI?

First admin/auth/change_form.html should probably be renamed to loginas/change_form.html and a new admin/auth/user/change_form.html should be made that contains only:

{% extends "relatives/change_form.html" %}

There are two ways to add the login as button to your custom user model's admin page.

1. The easiest way to add the login as button is to set the template on the model admin:

   class CustomUserAdmin(ModelAdmin):
       change_form_template = 'loginas/change_form.html'
   

2. If you are already using a custom template you need to instead extend the loginas/change_form.html template in that template.

That's how I document a similar feature for django-relatives.

By the way you might checkout django-relatives if you get a chance. I just made it recently.

Question:
Is it possible to grant "loginas" rights to somebody who is not staff member?
If yes, then how would this person access the loginas feature since this button is only present in the admin pages?
-> Is there a way such a button can be placed on any page?

Thank you
Davy

Is it something like this maybe:

<a class="sm" href="{% url 'loginas-user-login' user_id=other_user.id %}">login as</a>

Using this lib with Django 1.8 will fire deprecation warning. Django-loginas should use importlib from standard Python library instead of deprecated Django version.

Problem discovered using pep438 tool:

$ sudo pip install pep438
$ pep438 django-loginas
✗ django-loginas: 3 links

Page showing extra links: http://pypi-externals.caremad.io/django-loginas/

Hello,

in restore_original_login (utils), why to log an error when the original session expired ?
Can i made a PR to remove this error and and a parameter to choose the time delta value ?

Sincerely,

François

Hi there,

First and foremost, thank you for a wonderful django module. It has saved countless support and QA hours.

Python version: 3.7

Django version: 3.2.2

Loginas version: 0.3.9

Django 3.2 introduced final_catch_all_view on the AdminSite class. This was introduced to prevent a bad actor from enumerating admin pages.
https://docs.djangoproject.com/en/3.2/ref/contrib/admin/#django.contrib.admin.AdminSite.final_catch_all_view

I think this change might have broken the admin loginas button implementation. If final_catch_all_view is set to True (the default), then clicking the loginas button results in a 404. If the setting is set to False, the button works as expected.

I have some custom admin urls in my project and the work around was modifying the def get_urls() method on AdminSite like so:

def get_urls(self):
    url_list = super().get_urls()

    # from django.urls import path
    custom_path_obj = path(...)
    url_list = [custom_path_obj] + url_list
    # the above line used to be: url_list.append(custom_path_obj)

    return url_list

This is done because the final_catch_all_view url is added to the END of the admin url list. By prepending the custom url, we ensure the django admin finds it before the catch all. Here is a conversation in the django developers google group with more details
https://groups.google.com/g/django-developers/c/vHZ8F8Nvq9M?pli=1

Although I think I understand how to fix this for my own admin pages, I'm unsure how to use this to fix the issue with loginas. We use loginas and would like to upgrade to 3.2, so I'm happy to take a pass at a pull request if someone else can provide some advice on how to implement.

If i login as another user. When i log out, i retrieve my former user.
But then, when i logout again, i'm still connected.

The user session flag is never removed from session. Why ?

Sincerely,

F.P

Django supports customizing the User model, and also the username field in it. Allow django-loginas to support it, instead of assuming it will always be called 'username'.

@skorokithakis I've submitted a PR (See #36) for this.

Hi,

What is actually required to display the "log in as" button?
I have a user that is in a group A that has the change permission on user but the button is not displayed. I tried to give all the permissions to this group and it did not change anything.
Only when I set the user as a super user, he can see the button.
Is it required to be a super user to see the "log in as" button?

Thanks

Nice job thanks!

You're already storing the original user.pk in the session, it would be great to be able to go back to being who you were without logging out. If there's no objection I'd be happy to add a view for that.

Then perhaps a context processor to put html for a button in the context when the user is being impersonated. It would be up to the application developer to decide where to place the button so that anyone will be able to see it, since that would vary for every application.

For compliance reasons it might be nice to add a reason for logging in as a user, for example to add a link to the internal support ticket. Just a TextField that gets added to the django admin history would be great.

While following the installation I kept getting "Page Not Found" and some errors like

Page not found (404)
Request Method:	GET
Request URL:	http://localhost:8000/admin/
Using the URLconf defined in config.urls, Django tried these URL patterns, in this order:

__debug__/
about/ [name='about']
admin/ ^login/user/(?P<user_id>.+)/$ [name='loginas-user-login']
admin/ ^logout/$ [name='loginas-logout']
users/
accounts/
...

Eventually I solved it by doing this in urls.py

urlpatterns = [
    path(settings.ADMIN_URL, admin.site.urls),
    path(settings.ADMIN_URL, include("loginas.urls")),
...

since I pull the admin url from config as prescribed by django-cookiecutter

Hi,

I found very esoteric bug. I am using custom id fields format for my models in django. It is CharField and values are in form of "usr_12345". Apparently for such specific id django admin assumes that some values can brake admins urls, so they are using special layer of custom quote/unquote from here:

https://github.com/django/django/blob/master/django/contrib/admin/utils.py#L63

Basically for such id usr_12345 django actually generate links like this: /admin/accounts/user/usr_5F12345/change/.

This affects also 3rd party tools as django-loginas link generated inside django admin is of this form:
`/admin/login/user/usr_5F12345/

Ths obviously creates 404 error as loginas cannot find user with quoted id usr_5F12345.

I am providing very easy fix for that, just unquoting the user_id value before processing.

PS. Quoting issue is completely transparent for integer based IDs.

I wait release in pypi with commit caa0f58

I'd love to use PyPI wheel package with the new translations, but unfortunately currently I have to get it from GIT...

https://djangopackages.org/packages/p/django-loginas/

Hi,
There's a bug no one seems to have spotted.
When you edit a user group in the admin, the "Log in as user" button is displayed, which is useless. Worse, it tries to login as a user that has the same id as the currently edited group.

My Django web app has access to 2 different domains. Processing is done according to the user's country. When I click the button, I want to redirect a domain according to the user's country. I overrode login as a display method, but login to a different domain did not occur. When I click the button from domain a, I want to log in to domain b. How should we approach this?

Hello,

I use django as my backend and nuxt3 as my frontend. As soon as I login as another user through the admin dashboard, I get sent to the django urls. These are located at localhost:8000 for example. While my frontend is located at localhost:3000.

How can I solve this issue? It also doesn't look like my frontend know that it's logged in as another user.

We get notifications about new releases but don't know where to look for the changes.

django-loginas does not work with django-rules as an Authentication Backend.

We use django-rules to specify custom authentication rules. As a result, we have this in our settings:

AUTHENTICATION_BACKENDS = (
    'rules.permissions.ObjectPermissionBackend',
    'django.contrib.auth.backends.ModelBackend',
)

However, rules.permissions.ObjectPermissionBackend does not specify a get_user method (as seen here). Even though, the Django documentation says that each backend must implement a get_user method, apparently this is not enforced (!?). This was discussed in a django-rules issue here:
dfunckt/django-rules#46

The reason why I believe this is not enforced is because they made some changes in the behavior of force_login (https://code.djangoproject.com/ticket/27542#ticket).

A quick workaround would be to check if the authentication backend has a get_user method. If not, then continue.

Does this make sense?

Hello, i installed loginas with pip, then put in installed apps in settings, then i change my admin url, I remove admin.site.urls and I wrote include('loginas.urls'), but that doesn't work, could you help me to install it? Thanks

Maybe it is time to extend the test config with new versions:

• Django 1.10 has been out for a while, 1.11 is in alpha
• Python has 3.5 and 3.6

When loginas is used, an item should be entered into the user's "history" table, saying something like "User X logged in as user Y.".

I defined a staff member that can only view other users.
I can log in as that staff member to the admin page, and see the list of users.
When trying to use the login-as for a certain user, I'm getting:
You do not have permission to do that.

Is there any other permission I need to enable?
The use case might be customer support, needing to log in as a customer, but they should not have full access in the admin page.

Thanks

I have different user types:
admin
manager
regular user

I can go through different levels using log in as, but once I click loginas-logout, in the first level, then I cannot go up back to admin.
I wonder if loginas-logout should go to the original user

It appears as though the loginas app has an undocumented dependency on the django.contrib.admin app in utils.py

Traceback (most recent call last):                                                                                                                 
[...]                                                                  
  File "/app/project/apps/accounts/urls.py", line 4, in <module>                                                                                   
    from loginas.views import user_login                                                                                                           
  File "/usr/local/lib/python3.7/site-packages/loginas/views.py", line 11, in <module>                                                             
    from .utils import login_as, restore_original_login                                                                                            
  File "/usr/local/lib/python3.7/site-packages/loginas/utils.py", line 7, in <module>                                                              
    from django.contrib.admin.models import CHANGE, LogEntry                                                                                       
  File "/usr/local/lib/python3.7/site-packages/django/contrib/admin/models.py", line 39, in <module>                                               
    class LogEntry(models.Model):                                                                                                                  
  File "/usr/local/lib/python3.7/site-packages/django/db/models/base.py", line 111, in __new__                                                     
    "INSTALLED_APPS." % (module, name)                                                                                                             
RuntimeError: Model class django.contrib.admin.models.LogEntry doesn't declare an explicit app_label and isn't in an application in INSTALLED_APPS.

I believe this could be corrected by testing whether the admin is installed or not, and skipping trying to create the LogEntry if isn't installed. If that makes sense, I can submit a patch to make this change.

Hi,

I need a feature like Netflix users management, that one users can impersonate the "children"

Thanks for support!

Hi,

Is there a way to know we are logging in via this method?
For example, I do not want the analytics to be triggered on the pages if an admin logs in as a user to check something.

Thanks

Hello,
The default implementation of django.contrib.auth.backends.ModelBackend.get_user prevents inactive users to logging in since Django 1.10 (see user_can_authenticate). I do believe this error should't be critical since you could fix it without updating project configuration and better showing warning / error message instead.
How about allow throwing custom exception in can_login_as with the reason why you can't log in as a target user and showing it to the authenticated user in this case?

I can imagine a situation in which a user that is not a superuser may need to authenticate as other users. I think it might be a good idea to check whether the user is a superuser or is in a particular group.

Thoughts on this?

Here's the use case:

1. Staff user logs into admin site
2. Staff user navigates to Post model's page
3. Staff user clicks "View on Site"
4. The post is private so a page is shown to admin user presenting a list of users to re-authenticate as
5. Staff member selects a user to re-authenticate as and is logged in and redirected to the page

In my project I have 500 error on group change page (ex. "/admin/auth/group/1/") due to template "/templates/loginas/change_form.html". I don't know why, workaround: not use pip, clone sources in project app directory, remove all templates and use this app.
I use Python 3.4, Django 1.7.

Error when used with Django 1.5 due to url syntax change (i.e. from {% url loginas-user-login object_id %}).

Please update, thanks!

Tried the latest django-loginas (master branch of this repo) and got this error:

  File "<frozen importlib._bootstrap>", line 994, in _gcd_import
  File "<frozen importlib._bootstrap>", line 971, in _find_and_load
  File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 678, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/Users/mmalysh/Development/mining-website/kryptex/config/urls.py", line 57, in <module>
    url(r'^adminium/', include('loginas.urls')),
  File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/django/urls/conf.py", line 34, in include
    urlconf_module = import_module(urlconf_module)
  File "/Users/mmalysh/.pyenv/versions/3.6.9/lib/python3.6/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 994, in _gcd_import
  File "<frozen importlib._bootstrap>", line 971, in _find_and_load
  File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 678, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/loginas/urls.py", line 2, in <module>
    from loginas.views import user_login, user_logout
  File "/Users/mmalysh/Development/mining-website/venv/lib/python3.6/site-packages/loginas/views.py", line 5, in <module>
    from django.utils import six
ImportError: cannot import name 'six'

Hi,
After merging the pull request number #106 , the local directory doesn't make any more.

Thanks for the incredibly useful tool! Would it be possible to release a new version? Thank you very much :) .

In the Readme file there is the following line:
CAN_LOGIN_AS = lambda request, target_user: request.user.is_admin and not target_user.is_admin

using Django 1.8, I received an AttributeError that is_admin is not a valid attribute ("'User' object has no attribute 'is_admin'"), so I changed it to is_superuser and it now works. Not sure if is_admin worked in older versions, but it seems to be broken in 1.8... otherwise, amazing package!

Sorry for my English.

I'm trying to add "Login as" buttons to admin changelist and faced with the complexity associated with the fact that user_id passed via URL. If you will pass it as POST parameter, you will have the opportunity to use single form with multiple buttons like this:
<button form="loginas-form" name="user_id" value="{{ user.id }}">Login as {{ user.username }}</button>

Thanks for a very useful app!

I think the user switch should happen on a POST request. It's both a more appropriate HTTP method for this type of requests, but more importantly it will ensure that CSRF check is performed. As it is now, anybody can change the user for me just by knowing the URL and embedding an image to a page I visit.

For audit-ability, I don't want superusers to be able to authenticate as other staff users (especially not as other superusers).

One (or more) of these could work:

1. Completely disallow logging in as other staff users
2. Add a setting that when enabled will disallow logging in as other staff users
3. Add a setting allowing certain user groups to be excluded from the loginas feature
4. Add a setting restricting the loginas feature to certain user groups