docs: Change admin site workaround documentation

[jkaeske]

The documented workaround was resulting in ERR_TOO_MANY_REDIRECTS. To solve this issue a workaround using a custom decorator was proposed.

Fixes #3786

Submitting Pull Requests

General

• Make sure you use semantic commit messages.
  Examples: "fix(google): Fixed foobar bug", "feat(accounts): Added foobar feature".
• All Python code must formatted using Black, and clean from pep8 and isort issues.
• JavaScript code should adhere to StandardJS.
• If your changes are significant, please update ChangeLog.rst.
• If your change is substantial, feel free to add yourself to AUTHORS.

[coveralls]

coverage: 95.55%. remained the same
when pulling d8d1637 on jkaeske:admin-documentation
into a52fb87 on pennersr:main.

[pennersr]

IMO protecting the admin is really important, so I think it would make sense to promote that code to an actual decorator that just works out of the box, so that people do not need to copy chunks of code around. How about we add that decorator to allauth.account.decorators?

[jkaeske]

Sounds great to me!
Let me update the code in the next days.

[pennersr]

If I use this decorator, while logged in as a regular user, and then visit an admin page, I am redirected to LOGIN_REDIRECT_URL, but it is not really obvious why that happens. Wouldn't it be more clear to just raise a PermissionDenied ?

[pennersr]

Also, perhaps nitpicking, but the name staff_member_required_or_redirect is a bit long. Given that this decorator has only one purpose, securing the admin login, perhaps name it like that, so that we get:

from allauth.account.decorators import secure_admin_login

admin.site.login = secure_admin_login(admin.site.login)

[pennersr]

While I was toying with this anyway, I figured I could just as well file a PR right away. Could you take #3818 for a test spin?

[joonhyungshin]

If I use this decorator, while logged in as a regular user, and then visit an admin page, I am redirected to LOGIN_REDIRECT_URL, but it is not really obvious why that happens. Wouldn't it be more clear to just raise a PermissionDenied ?

I think both approaches are valid. Sometimes a webmaster may not want to raise 403 or show 403 page to users but instead redirect them to the default login success page. I've seen some webpages doing this. In terms of customizability this looks more flexible.

How about adding an optional argument, something like redirect_url so that if it is given send non-staff users there and otherwise raise 403?

[pennersr]

The Django admin also uses PermissionDenied in case you try to access things you don't have access to, so this way the behavior is conform to what the admin is already doing. I am not sure a redirect makes much sense if there is no explanation/message on why you are ending up there...