Only staff with good permission mask can visit Django Admin

note_kfet/admin.py

@@ -0,0 +1,25 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.contrib.admin import AdminSite
+from django.contrib.sites.admin import Site, SiteAdmin
+
+from member.views import CustomLoginView
+from .middlewares import get_current_session
+
+
+class StrongAdminSite(AdminSite):
+    def has_permission(self, request):
+        """
+        Authorize only staff that have the correct permission mask
+        """
+        session = get_current_session()
+        return request.user.is_active and request.user.is_staff and session.get("permission_mask", -1) >= 42
+
+    def login(self, request, extra_context=None):
+        return CustomLoginView.as_view()(request)
+
+
+# Instantiate admin site and register some defaults
+admin_site = StrongAdminSite()
+admin_site.register(Site, SiteAdmin)

note_kfet/urls.py

@@ -3,13 +3,14 @@
 
 from django.conf import settings
 from django.conf.urls.static import static
-from django.contrib import admin
 from django.urls import path, include
 from django.views.defaults import bad_request, permission_denied, page_not_found, server_error
 from django.views.generic import RedirectView
 
 from member.views import CustomLoginView
 
+from .admin import admin_site
+
 urlpatterns = [
     # Dev so redirect to something random
     path('', RedirectView.as_view(pattern_name='note:transfer'), name='index'),
@@ -25,7 +26,7 @@ urlpatterns = [
     # Include Django Contrib and Core routers
     path('i18n/', include('django.conf.urls.i18n')),
     path('admin/doc/', include('django.contrib.admindocs.urls')),
-    path('admin/', admin.site.urls, name="admin"),
+    path('admin/', admin_site.urls, name="admin"),
     path('accounts/login/', CustomLoginView.as_view()),
     path('accounts/', include('django.contrib.auth.urls')),
     path('api/', include('api.urls')),