Admin login as non-superuser avoids allauth login flow

[jkaeske]

What happened?

When logging into the admin console through allauth (DJANGO_ADMIN_FORCE_ALLAUTH=True), everything works fine when logging in as a superuser.
When logging in as a normal user, the user gets redirected to the Django admin site with "You are logged in but do not have access to this page. Do you want to log in as a different user?".
This seems like a way to go around the allauth login flow.

Solution

Currently, this snippet is used to check for a logged-in user:

from django.contrib.auth import decorators

if settings.DJANGO_ADMIN_FORCE_ALLAUTH:
    # Force the `admin` sign in process to go through the `django-allauth` workflow:
    # https://django-allauth.readthedocs.io/en/stable/advanced.html#admin
    admin.site.login = decorators.login_required(admin.site.login)  # type: ignore[method-assign]

But shouldn't it rather check for a superuser like specified in the allauth docu, like so?

from django.contrib.admin.views.decorators import staff_member_required

if settings.DJANGO_ADMIN_FORCE_ALLAUTH:
    # Force the `admin` sign in process to go through the `django-allauth` workflow:
    # https://django-allauth.readthedocs.io/en/stable/advanced.html#admin
    admin.site.login = staff_member_required(
        admin.site.login, login_url=settings.LOGIN_URL
    )

[foarsitter]

When applying your proposal I'm facing ERR_TOO_MANY_REDIRECTS.

[jkaeske]

It is true, I did not realize that the first time...
Maybe it is a django-allauth problem?
If I log in as a non staff member with the snippet from the allauth docs the too many redirects error is raised
If I take the current admin.site.login = decorators.login_required(admin.site.login) snippet I can go around the allauth login flow.

[foarsitter]

Perhaps we can destroy the current session when this occurs? The the user is redirected to the correct form with the correct redirect url.

[jkaeske]

Something like this would work to check if the user is a staff member and if not automatically perform a logout, display an error message and redirect to the login page:

from django.contrib.auth import decorators, logout
from django.shortcuts import redirect
from django.contrib import messages

if settings.DJANGO_ADMIN_FORCE_ALLAUTH:
    # Define a custom AdminSite class to check if the user is a staff member
    class CustomAdminSite(admin.AdminSite):
        def login(self, request, extra_context=None):
            if request.user.is_authenticated and not request.user.is_staff:
                logout(request)
                storage = messages.get_messages(request)
                # Clear all other messages first
                storage.used = True
                messages.error(
                    request, "You are not authorized and have been logged out."
                )
                return redirect("account_login")
            return super().login(request, extra_context)

    admin.site = CustomAdminSite()

    # Force the `admin` sign in process to go through the `django-allauth` workflow:
    # https://django-allauth.readthedocs.io/en/stable/advanced.html#admin
    admin.site.login = decorators.login_required(admin.site.login)  # type: ignore[method-assign]

Not sure if you meant somthing like that

[foarsitter]

Exactly what I meant! Do you mind providing a PR (when you do, do not forget to translate the error message)?

[jkaeske]

Perfect!
No worries I will do a PR in the next days :)

[jkaeske]

This has now been updated in allauth 0.63.1 and there is a new workaround in the allauth docs.