-
-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Admin login as non-superuser avoids allauth login flow #4766
Comments
When applying your proposal I'm facing |
It is true, I did not realize that the first time... |
Perhaps we can destroy the current session when this occurs? The the user is redirected to the correct form with the correct redirect url. |
Something like this would work to check if the user is a staff member and if not automatically perform a logout, display an error message and redirect to the login page:
Not sure if you meant somthing like that |
Exactly what I meant! Do you mind providing a PR (when you do, do not forget to translate the error message)? |
Perfect! |
This has now been updated in allauth 0.63.1 and there is a new workaround in the allauth docs. |
What happened?
When logging into the admin console through allauth (DJANGO_ADMIN_FORCE_ALLAUTH=True), everything works fine when logging in as a superuser.
When logging in as a normal user, the user gets redirected to the Django admin site with "You are logged in but do not have access to this page. Do you want to log in as a different user?".
This seems like a way to go around the allauth login flow.
Solution
Currently, this snippet is used to check for a logged-in user:
But shouldn't it rather check for a superuser like specified in the allauth docu, like so?
The text was updated successfully, but these errors were encountered: