On Tue, Mar 24, 2009 at 1:55 PM, benjamin.wins...@googlemail.com < benjamin.wins...@googlemail.com> wrote:
> > Hello > > I have created a more robust login mechanism for my site, using > username and password but then also other information, specific to > each user. My main login works fine, but I want to kill the admin > login page so that it can't be accessed (any users logging into the > main site who qualify as user.is_admin will have access to the admin > site still). I still have the original authentication backend in place > - this is to partially authenticate users - and then I have a custom > one to do the rest of the authentication. If users can access the > default admin login, they can bypass the second stage of > authentication. > > I can't just redirect /admin to another url, since the admin app uses > this once authentication has occurred. I want to make sure no-one can > reach the default (less secure) login page. > > Please, someone in the know let me know how to fix this. > > You can monkey-patch / manual-decorate / whatever-you-want-to-name-it the admin url dispatcher. In your auth system __init__.py from django.contrib.admin import sites def auth_decorate(admin_root) def new_root(self, request, url): "Catch request to test if properly authenticated" # stuff.... if auth_ok: # continue transparently return admin_root(self, request, url) else: # call FBI? return why_are_you_hacking_me() return new_root sites.root = auth_decorate(sites.root) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---