如何使Django管理员网站由非员工用户访问？ [英] How to make Django admin site accessed by non-staff user?

问题描述

我想实施第二个管理网站，该网站提供主要管理网站的一部分功能。这是可能的，并在 Django docs

I would like to implement a 2nd admin site which provides a subset of feature of the primary admin site. That's possible and described in the Django docs

但是，我想限制主管理站点上的访问。有些用户可以访问第二个站点，但不能访问主站点。

However, I would like to limit access on the primary admin site. Some users can access the 2ndary site but not the primary site.

为了实现该功能，我希望这些用户不会在员工中（is_staff = False ）并重写 AdminSite.has_permission

In order to implement that feature, I would like these users no to be in the staff (is_staff=False) and rewrite the AdminSite.has_permission

class SecondaryAdminSite(AdminSite):

    def has_permission(self, request):
        if request.user.is_anonymous:
            try:
                username = request.POST['username']
                password = request.POST['password']
            except KeyError:
                return False
            try:
                user = User.objects.get(username = username)
                if user.check_password(password):
                    return user.has_perm('app.change_onlythistable')
                else:
                    return False
            except User.DoesNotExist:
                return False
        else:
            return request.user.has_perm('app.change_onlythistable')

不幸的是，这种方法不起作用。用户可以登录，但在辅助管理站点中看不到任何内容。

Unfortunately, this approach doesn't work. The user can login but can't see anything in the secondary admin site.

此方法有什么问题？
任何想法如何实现此功能？

What's wrong with this approach? Any idea how to implement this feature?

提前感谢

推荐答案

我认为你现在可以做到这一点： http://code.djangoproject.com/票/ 14434 （5周前关闭）

I think that your approach should now be possible: http://code.djangoproject.com/ticket/14434 (closed 5 weeks ago)

然而，显示的is_staff检查仍然在两个地方完成（除了staff_member_required装饰器）：

However, the explicit "is_staff" check is still done in two places (apart from the staff_member_required decorator):

• django.contrib.admin.forms.AdminAuthenticationForm.clean（）

• django.contrib.admin.forms.AdminAuthenticationForm.clean()

除了has_permission（）之外，您需要为您的非职员AdminSite提供一个不执行is_staff检查的login_form，因此可以相应地子类化和调整clean（）。

On top of "has_permission()" you'd need to provide your non-staff AdminSite with a "login_form" that doesn't do the is_staff check, so could just subclass and adjust clean() accordingly.

templates / admin / base.html

templates/admin/base.html

需要稍微自定义。
仅为活动人员显示id为user-tools的div。我假设这样做是因为登录表单也使用这个模板，有人可以作为一个活跃的非工作人员登录，但仍然不应该看到这些链接。

would need to be slightly customized. The div with id "user-tools" is only shown for active staff members. I'm assuming that's done because the login form also uses this template, and someone could be logged in as an active non-staff member but still should'nt see those links.

这篇关于如何使Django管理员网站由非员工用户访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！