Transcript: Django Admin

00:00.0

Hello, and welcome to another episode of Django Chat. In this episode, we're going to be talking

00:09.5

about the Django Admin, what it is and how to use it. I'm Will Vincent and joined as

00:13.7

always by Carlton Gibson. Hi, Carlton.

00:15.5

Hello, Will.

00:16.0

So let's get into it. This is one of the questions we get a lot from beginners who just want

00:20.7

to understand how should they use the Django Admin. So maybe since you're the Django fellow,

00:25.4

what's the history? Why does Django have this beautiful admin app that many other web frameworks

00:30.0

okay there's a absolutely awesome question um it predates my use of django so i got into django in

00:35.8

the early days and it's always had the angle the admin and the ang the admin was like this just

00:40.7

the the hang the hangman what's that the admin was always like django admin squashed into one word

00:46.9

the admin was always like this super killer feature it's like so you define some model

00:50.7

classes and then with like about four lines of code you had this beautiful um crud interface

00:56.4

where you get a form you could edit the instances you could create things in the database it was

01:01.4

just amazing it's always been there so i i guess it's been there from the birth of django and from

01:07.0

the lawrence world journal i guess the the story is they needed a interface for the back end for

01:13.2

the news team to be able to create news articles themselves and so the admin was born from that i

01:18.8

suppose that's the story i've heard and i think the thing is is that now because a lot of times

01:23.1

people ask, well, can I can I can or should I use the admin in that capacity going forward? So let's

01:28.3

say you built a newspaper site today. And I would say you could, but you probably shouldn't. So

01:33.1

generally speaking, the admin is abused and asked to do too much. And we'll talk about, you know,

01:37.8

there is a point where you should just make your own custom pages. But the admin is, you know,

01:41.8

super helpful, I think, especially to beginners, because there's two ways to go in and do cred

01:45.8

stuff, you can go into the Django shell, which I think a lot of experienced Django developers maybe

01:51.0

you find faster. Like a Python, you just command line, you know exactly what you're doing. But for

01:57.1

beginners, having a graphical interface is fantastic. And so I always recommend people

02:01.4

play around with the admin first rather than the shell, though eventually you'll use both.

02:07.6

You say beginners. Let me just say straight up right now, I use the admin all the time. There

02:13.8

isn't a single project that I work on where I don't create a model and then immediately

02:18.4

create an admin for it and i may not use that admin for for the whole life of the project because

02:23.9

the model might get too complicated whatever but i always when i'm creating a model create an admin

02:29.5

because it's so little work and then you've got this interface and to be honest yeah i can go in

02:34.6

the shell but if i have to create a date time or something like that it's much easier to use the

02:38.4

you know the the little javascript gooey thing where i can select the date from the calendar

02:43.1

picker than it is to import date time date time date time what was the format wow yeah well if

02:49.2

we're both confessing i almost always use the admin too i mean occasionally i use the shell

02:52.9

if i'm feeling you know like i want to flex my developer muscles but i almost always use the

02:57.3

admin so that's so that's the first thing to mention so if you're brand new to django uh

03:00.5

there's an admin.py file that is created whenever you run start app command to create a new app and

03:05.6

with three or four lines of code it's in the docs we'll link to it you can have it appear in the

03:09.7

admin but apps will not appear automatically in the admin so in the same way you have to add the

03:14.2

apps to the installed app setting and settings.py file if you want them in the admin which you do

03:19.2

you should add them to the admin.py file and then you can do lots of stuff from there there's lots

03:23.5

of ways you can customize it um i was just looking through last night i mean the docs

03:27.8

per usual cover it all but it's just an overwhelming amount of stuff yeah and therein

03:32.3

lies the problem of the admin so at every almost at every point in the history of django it seems

03:38.5

somebody's come along with a good idea say oh let's add this model option to you know this

03:42.8

option to model admin and it's been added and it's been added and it's been added until it's

03:46.7

overwhelming and you know i'm very much of the the opinion that we we need a kind of a moratorium on

03:53.7

new features in the admin we need to kind of hold off close down some of the bugs maybe even simplify

03:58.5

and deprecate some of the existing features and then maybe we can make the admin more powerful

04:02.5

than it is but it's super powerful it's just that it's so hard to remember the api you have to go to

04:08.2

the docs and look it up.

04:09.5

Yeah, yeah, I do.

04:10.5

And yeah, I mean, model admin fields exclude.

04:12.6

I think actually in 2.1, there's a new option around permissions, right?

04:16.5

Because you can add action level permissions settings.

04:20.6

I believe that was added in 2.1.

04:22.2

Yeah, well, that tied in with the view.

04:23.9

So this...

04:25.3

for um the whole history of the project um it's you've always had change at least change

04:31.3

permissions um if you could if you could view a model in the admin and you could change it you

04:36.1

might not be able to add or delete but you could you could alter but now there's a view only

04:40.3

permission um right so you so you could be like a read-only user of the admin so why might that

04:46.6

be useful well maybe i don't know you've got um a board of stakeholders who they want to be able to

04:52.7

look at the data in the database, but you don't really want them to be able to edit anything

04:55.8

because, well, they have no idea what they're doing. Well, you can give them view-only permission

04:59.9

so that they can look at it, but they can't break anything. They can't have anything.

05:03.9

Yeah. And that's a perfect example of when you get into the subjective choice of when do you

05:09.1

eject from the admin. I mean, even with those permissions, for me to give someone non-technical

05:14.3

access to the admin, I feel a little squirrely about that. But yeah, you just maybe step along

05:20.3

And then when you feel like you need to do too much with the admin, you should make your own pages, basically.

05:24.5

Yeah, like you can override the templates and then you can inject.

05:26.8

Yeah, I was going to say, you can do the templates, you can do a lot.

05:28.6

Don't replace them, override them.

05:30.3

Yeah, and you can inject like a little extra widget of your own using, you know, none of this is super well documented.

05:38.5

So if you go down this path, then you need to be looking at the source, you need to be looking at the docs,

05:43.6

you need to be going into the templates and seeing where the extension points are.

05:48.8

that could be much better documented it could be you know a series of blog posts or something like

05:53.0

that but you when you find yourself um what's the making a herculean effort you know when you're

06:01.9

doing far too much that you know it's much easier than to just create a plain vanilla django view

06:07.1

that does your thing rather than trying to force it into the admin well yeah so that and that brings

06:12.2

up so you were telling me the other day you were fighting with the django admin and it won again

06:16.9

what was that particular case where you were fighting with the admin i was so there was a

06:21.9

regression introduced in in some commit i can't remember the exact commit whereby the um when you

06:28.4

added a new inline with the add button to add a model an inline form the the javascript event

06:35.6

handlers weren't correctly attached and that was because we'd moved from using jquery to vanilla

06:40.0

javascript and there was some reason why the event handlers weren't copied across in the new

06:45.9

way as they were in the old way anyway doesn't really matter i had to write a unit test for this

06:50.3

and in the end i got the unit test going using selenium and it was all very fine and good but

06:55.9

it took a long time and a lot of effort and you you know my tweet was about how the django admin

07:02.5

had won again because if you do try and get into the nullies and you do try and customize it too

07:08.3

much or you do try and write unit tests for the javascript on it you will find that it it's it's

07:14.0

complicated it's super powerful it's super mature um it's it's experienced over its lifetime lots

07:21.2

of feature growths that perhaps a little bit too much and that means it's complex and any software

07:26.8

which is complex takes time to tackle and wasn't there a number of years ago there was a proposal

07:31.8

to kind of redo it from scratch and it was estimated the cost would be over a million dollars

07:36.8

do i have that right i think maybe there's a blog post on that because you know it's a perpetual

07:40.4

thing well people say why can't we just do it differently it's like well because it's it's a

07:43.9

beast yeah no i mean you couldn't read you essentially couldn't now rewrite it i mean

07:47.7

there was an admin to effort i do and they did really well and they got really far but in the

07:52.0

end you you're never going to reach feature parity because it's got 10 years of edge cases

07:56.6

worked in and it's super right that's what it's super good and it's super powerful and it's and

08:02.1

you can do a lot with it and it has got extension points it's not that you can't you know do

08:06.2

anything to extend it but you're never going to replace that effort in an open source project so

08:10.9

unless, you know, AM Big Megacorp comes along and says, we're going to fund it to the tune of a

08:15.7

million bucks, which they're never going to do. It won't be replaced. Yeah. So appreciate for what

08:20.6

it is and don't try to make it what it's not. But let's start. So some specifics when you're

08:24.3

working with the admin, it has search. And actually, if you go in the source code, that's

08:27.7

an interesting place. You can see a basic search implementation. This is the other thing, right?

08:32.1

When you say go in the source, go in the source and have a look. So it's got filters, right? So

08:36.1

that you can have filters down the side, which enable you to be filtered by models. It's a great

08:40.2

source of like oh there has here's how i'd implement a filter no i looked i looked there

08:44.7

for inspiration for sure yeah well it also there are things you can do around speeding up the

08:50.6

admin. So Jacinda Kelly, who I think we'll have on as a guest soon, who's the CTO of Doctor on

08:55.9

Demand, gave a talk at PyCon I attended talking about ways to speed up the admin. Because if you

08:60.0

have a big, big project, you're going to be waiting on your admin. And that's a case where

09:06.0

you go, well, is it the admin? Is it my queries? Often it's your queries. But it can and is used

09:13.1

in very powerful ways when you have massive, massive data sets. And there's a whole bunch

09:17.7

of talks too if you look at past DjangoCon

09:19.7

PyCons about customizing

09:21.4

the admin. So actually one thing I want to ask you Carlton

09:23.7

is so there's an option to do an

09:25.5

admin documentation generator

09:27.0

that I have never done myself.

09:30.0

What's the use

09:31.6

case for that? I mean it sounds nice

09:33.5

but the fact that I haven't heard about it makes me think maybe

09:35.6

it's not widely used. No I

09:37.6

don't think it is widely used. I have to like okay

09:39.6

so I've half played with this years

09:41.6

ago didn't really get very far with it

09:43.5

and never looked at it again and every so often

09:45.7

every six months I go through

09:47.6

the docs i'm not oh yeah admin docs i should really take the the time to work that out i think

09:52.7

that's quite powerful so that will create from your source code kind of browsable reference

09:57.1

documentation which that just sounds brilliant and all you've got to do is especially when you're

10:01.4

dealing with jingo rest framework where that you know a big part of what you're doing is the

10:05.6

automated documentation and and you know well you're overseeing the switch you know to swagger

10:10.2

what i mean is like your your um your your um classes so you're like python classes your model

10:15.8

classes your your view classes you get some api like reference api documentation i don't mean like

10:21.3

api in terms of something that um another computer would call over a remote service not that kind of

10:27.8

api i mean api is in the software api as in what you program right right internal yeah it's a good

10:33.3

distinction to make yeah okay so you also are aware of it but not i haven't heard of someone

10:37.9

going nuts with it no he's on my list of something where i think oh i really should check that out

10:42.1

Because it's kind of there, and I suspect it's quite useful.

10:46.0

But to be honest, in all my time, I've never really looked at it more than half a thing where I didn't know what I was doing, and I didn't get it working very well, and I never tried again.

10:54.3

Perhaps I'll try again over the next few weeks and come back to you.

10:57.4

Yeah, that applies to so many things.

10:59.8

So one thing we should mention is hardening the admin.

11:02.5

So there's articles on this.

11:04.8

We'll link to a couple.

11:05.6

But there are some – it is a security concern because – so here's a number of things you should do.

11:10.4

And actually, Andrew Pinkham, who wrote Django Unleashed, someone I've talked with at length about the admin, he actually just removes it entirely on new projects.

11:21.8

Now, he knows what he's doing, so I'm not sure if I recommend that approach.

11:25.5

But to deal with these security things, he doesn't even use the admin at all.

11:28.9

He's pure Django shell.

11:30.6

He's hardcore.

11:31.2

What I would suggest regular people do is, in order at a minimum, change the URL so you can go into the path.

11:39.5

Don't have it be slash admin because people can and will search and try to force their way into your Django project.

11:46.8

You can make it use even more powerful passwords.

11:50.7

There's a number of ways and third-party packages to force greater level of password protection.

11:57.5

You can do two-factor auth.

11:58.7

you can get have fun with it and use um django admin honeypot which is a third-party package

12:03.2

which will let you track and see who is trying to get into slash admin on your site um of course

12:09.6

you should use ssl um that's really the basics that the top thing is don't have it at slash admin

12:14.6

you know take take a second and don't have it at slash admin um before you put it out in the wild

12:20.2

the thing i don't know you want to add to that yeah well the thing i do is um i make i configure

12:25.7

my reverse proxy so normally i use nginx um i configure it to only allow um access to the

12:33.4

admin from localhost or from 127.0.0 from the loopback address and then and then i use that's

12:39.5

a good idea and then i use an ssh tunnel to tunnel into my server and so that i can access

12:46.9

the admin so you have to have ssh access to the server and then um you can only you access the

12:54.4

the admin via a an ssh tunnel and it means essentially the only people who can access

12:59.9

the admin are those with ssh access to the server so i do that um right right so that yeah that

13:06.9

wouldn't work in like a newspaper context if you're using no no but then you could what might

13:11.4

work in that context is doing it something like something like via an intranet so you only have a

13:15.8

from a host which is exposed on the intranet so you know presumably um and people use vpns now

13:21.9

don't they um so you you might have to vpn into the the the internal network and then you can

13:28.4

access the the admin from there but some kind of network level controls where it's i can you know

13:34.3

the the the shh tunnel example is not very complicated if you nag me i can put that into

13:38.6

a gist or something yeah i mean the point is is on a large app you need to think about security

13:44.4

and the admin is is one of those but fundamentally it shouldn't feel that hard you know you should

13:51.2

basically you should add it for all your apps do a little bit of customization you can control the

13:55.7

layout when you're really fighting with it take a moment to think about whether you should try to

13:59.8

force the admin to do it versus just create your own custom pages like that would be the quick

14:03.9

takeaway but you should use it and again yeah and don't feel bad about using it versus the django

14:07.8

shell i mean you and i both prefer and predominantly use it so don't feel like you're not a real django

14:13.1

a developer because you use the admin but like you know you can't like i don't know let's say

14:17.1

you've created a blog post app right and you're writing your blog but you can't write your blog

14:20.7

post in the shell well you could yeah i know i mean there are people who could but i couldn't

14:25.5

yeah well why bother yeah um all right well so this i think that's really it this was meant to

14:30.5

be a short episode because we get this question a lot and i think there's just confusion around

14:34.8

it and people fighting with it and kind of wondering what's what's the lay of the land

14:38.6

among developers on how to use it.

14:40.7

But that's the quick take.

14:43.1

You should use it.

14:43.6

It's a fantastic feature.

14:45.0

When you use other frameworks,

14:46.1

you're going to go,

14:46.6

where is the admin?

14:47.5

Because it's really nice.

14:49.2

One thing I do is like,

14:50.5

so say I have no idea

14:52.0

how my model is going to look finally,

14:54.2

but I've got two or three fields,

14:55.5

which I'm sure of.

14:56.5

Okay, let me create the two or three fields,

14:59.1

create the admin,

14:59.9

start playing with it locally,

15:01.0

creating some records,

15:02.1

starting adding the right kind of data.

15:04.2

And then I can start creating

15:05.2

a couple of views around that

15:06.5

and see, oh, look, I'm missing a field.

15:08.6

and so i can write a migration to add the field and then i can add a few more records in this

15:12.7

admin and it enables me to kind of iteratively develop my model and my views and the api that

15:18.1

will wrap around those and even if i'm not going to use the admin in production it's a nice

15:22.3

development tool as i'm going along and for me i just love it i love it yeah and that's the other

15:27.6

thing too is that most people start with the models and you can spend quite a bit of time on

15:32.2

that and to have a graphical way to look at them and play with them is nice because you know i

15:35.6

always view it as that's that's sort of like the top of the waterfall and then the views and the

15:39.2

templates and urls that kind of that just naturally flows from the models but you have to get your

15:43.7

models right first and i do the same thing i'll i'll play around with the models and figure out

15:48.6

the relationships in the admin for quite a while before i do all the rest of it because that's

15:53.5

really the the backbone of any project yeah and you don't have to deploy this stuff to a web

15:58.3

application if you need a little note-taking app for some project you can work on you can just

16:02.1

create a start app stop start project start app um you know my my project i'm working on quick

16:07.8

model bam bam bam quick admin and there you are you've got a little admin ui that took you 20

16:13.8

minutes to put together yeah no and that's better than an excel spreadsheet right where you're

16:17.9

trying to enter data in a spreadsheet yeah and when i teach you know i i start with let's just

16:23.6

do the models in the admin and it's there and then we'll get to as i said the views the urls

16:29.5

and the templates, because internalizing that takes a while. But it really is all about the

16:34.5

models. I mean, if you ask any, again, another point, if you ask any professional developer

16:38.3

thinking about a project, the first thing I'm thinking about is I'm trying to whiteboard what

16:42.7

the model structure is, because that's the heart of everything. And at some point, actually, I'd

16:47.1

like to do a video series and just whiteboard how almost every website is the same. Facebook,

16:53.0

Twitter, Pinterest, Instagram, they all are crud with auth and a foreign key and either a one to

16:58.9

many or a many to many and you can certainly prototype them entirely with that yeah i mean

17:05.6

going through and just saying give me a website give me a complicated website i'm going to show

17:09.6

you how it's fits into that pattern 99 of the time that's another great uh learning approach

17:16.1

to people trying to internalize and get wrap their head around the structure of web apps

17:20.3

yeah and there you are and being able to wrap a gooey around that in five seconds is useful

17:24.2

yeah yeah so all right that's it we will be back as we will be back with future episodes and as

17:32.4

ever if you have feedback you can reach us at jango chat.com we're on twitter at chat jango

17:37.7

and we'll see you next time bye carl bye