The built-in Admin app is one of Django's killer features but often asked to do too much. In this episode we discuss how to effectively use and customize the admin.
Will Vincent 0:06
Hello, and welcome to another episode of Django Chat. In this episode we're going to be talking about the Django admin what it is and how to use it. I'm Will Vincent and joined as always by Carlton Gibson like Carlton Halliwell. So let's get into it. This is one of the questions we get a lot from beginners who just want to understand how should they use the Django admin. So maybe since you're the Django fellow, what's the history? Why does Django haven't this beautiful Admin app that many other web frameworks do? Not Okay,
Carlton Gibson 0:30
there's absolutely awesome question. It predates my use of Django. So I got into Django in the early days and he's always had the anger the I mean, and the anger the Imam was like this just the the Hank, the hangman. What's that? The admin was always like Django admin squashed into one word. The admin was always like the super killer features like so you define some model classes and then with like about four lines of code, you had this beautiful crud interface where you get a form, you could edit the instances you can create things In the database, it was just amazing. It's always been there. So I, I guess it's been there from the birth of Django. And from the Lawrence world journal, I guess the the story is they needed a interface for the back end, for the news team to be able to create news articles themselves. And so the admin was born from that, I suppose
Will Vincent 1:19
that's the story I've heard. And I think the thing is, is that now because a lot of times people will ask, Well, can I can I can or should I use the admin in that capacity going forward? So let's say you built a newspaper site today. And I would say you could, but you probably shouldn't. So generally speaking, the admin is abused and asked to do too much. And we'll talk about you know, there is a point where you should just make your own custom pages, but the admin is, you know, super helpful, I think, especially to beginners, because there's two ways to go in and do crud stuff, you can go into the Django shell, which I think a lot of experienced Django developers maybe find faster, like a Python you just command line to know exactly what you're doing. But for beginners, having a graphical interface is fantastic. So I always recommend people play around with the admin first rather than the shell, eventually, you'll use both. And there's a salty as you say, beginners, I have
Carlton Gibson 2:09
like, let me just say straight up right now I use the admin all the time, there isn't a single project that I work on where I don't create a model, and then immediately create an admin for it. And I may not use that admin for the whole life of the project, because the model might get too complicated, whatever. But I always when I'm creating a model, create an admin because it's so little work. And then you've got this interface. And to be honest, yeah, I can go in the shell. But if I have to create a date time or something like that, it's much easier to use the, you know, the little JavaScript GUI thing where I can select the date from the calendar picker than it is to import date, time, date, time, date, time, what was the format or?
Will Vincent 2:48
Yeah, well, we're both confessing I almost always use the admin to I mean, occasion, I'll use the shell if I'm feeling you know, like, I want to flex my developer muscles, but I almost always use the admin. So that's the first thing to mention. So if you're brand new to Django There's an admin.py file that is created whenever you run start up command to create a new app. And with three or four lines of code, it's in the docs will link to it, you can have it appear in the admin, but apps will not appear automatically in the admin. So in the same way, you have to add the apps to the installed app setting settings.py file, if you want them in the admin, which you do, you should add them to the admin.py file. And then you can do lots of stuff. And there's lots of ways you can customize it. I just looking through last night, I mean, the docs per usual cover at all, but it's just an overwhelming amount of stuff.
Carlton Gibson 3:31
Yeah. And therein lies the the problem of the admin. So every, almost every point in the history of Django, it seems somebody come along with a good idea, say, oh, let's add this model option to this option to model admin. And it's been added, yeah, and it's been added and it's been added until it's overwhelming. And, you know, I'm very much of the opinion that we need a kind of a moratorium on new features in the admin we need to kind of hold off, close down some of the bugs maybe even simplify and deprecate some of the existing features and then maybe we can make the admin more powerful than he is. But it's super powerful. It's just that it's so hard to remember the API. You have to go to the docs and look it up.
Will Vincent 4:09
Yeah, Yeah, I do. And yeah, I mean, model admin fields exclude I think, actually, in 2.1, there's, there's a new option around permissions, right? Because you can add action level permissions settings. I believe that was added in 2.0. Yeah, well, that tied in with the view there. So this for the whole history of the project, it's, you've always had changed at least change permissions. If you could, if you could view a model in the admin and you could change it, you might not be able to add or delete, but you could you could alter, but now there's a view only permission.
Carlton Gibson 4:42
Right? So you could be like a read only user of the admin. So why might that be useful? Well, maybe I don't know. You've got a board of stakeholders who they want to be able to look at the data in the database, but you don't really want them to be able to edit anything because while they have no idea what they're doing, well, you can give them view only permissions. They can they can look at it, but they can't break anything they can't.
Will Vincent 5:03
Yeah. And that, you know, that's a perfect example of when you get into the subjective choice of when do you eject from the admin? I mean, even with those permissions for me to give someone non technical access to the admin, I feel a little squirrely about that. But yeah, you just baby step along. And then when you feel like you need to do too much with the admin, you should make your own page Yeah,
Carlton Gibson 5:23
like, we can override the templates. And then you can enjoy as I say, you
Will Vincent 5:27
can do the templates, you can do a lot don't replace them override,
Carlton Gibson 5:30
yeah, and you couldn't you can, you can inject like a little extra widget of your own using none of this is super well documented. So if you get go down this path, then you you need to be looking at the source you need to be looking at the dots you need to be going into the templates and seeing where the extension points are. That could be much better documented. It could be you know, a series of blog posts or something like that. But you when you find yourself what's that hurt me? a Herculean effort, you know, when you're doing far too much that, you know, much easier than to just create a plain vanila Django view that does your thing rather than trying to force it into the admin. Well, yeah,
Will Vincent 6:11
so that that brings up so you were telling me the other day you were fighting with the Django admin and at one again, what was that particular case where you were
Carlton Gibson 6:18
fighting with the admin I was, so there was a regression introduced in, in some committee, I can't remember the exact commit whereby the, when you added a new inline with the Add button to add an inline form, the JavaScript event handlers weren't correctly attached. And that was because we've moved from using jQuery to visit vanilla JavaScript. And there was some reason why the event handlers weren't copied across in the new way because they weren't the old way. It doesn't really matter. I had to write a unit test for this. And in the end, I got the unit test going using Selenium and it was all very fine and good, but it took a long time and a lot of effort and you know, My tweet was about how the Django admin had won again, because if you do try and get an alias, and you do try and customize it too much, or you do try and write unit tests for the JavaScript, you will find that it's it's complicated. It's super powerful. It's super mature. It's it's experienced over its lifetime, lots of future growth set Pat, perhaps a little bit too much. And that means it's complex. And any software, which is complex takes time to tackle
Will Vincent 7:29
and Wasn't there a number of years ago, there was a proposal to kind of redo it from scratch, and it was estimated the cost would be over a million dollars. Do I have that? Right? I think maybe there's a blog post on that. Yes. Is a perpetual thing where people say, Well, why can't we just do it differently? It's like, well, because it's, it's a beast.
Carlton Gibson 7:44
Yeah. I mean, you couldn't, you essentially couldn't now rewrite it. I mean, there was an admin to do and they did really well and they got really far. But in the end, you're never going to reach feature parity, because it's got 10 years of edge cases, worked in and it's super great. That's what it super good. And it's super powerful. And it's and you can do a lot with it. And it has got extension points. It's not that you can't, you know, do anything to extend it. But you're never going to replace that effort in an open source project. So unless, you know, a big mega Corp comes along and says we're going to fund it to the tune of a million bucks, which they're never going to do. Yeah, it won't be replaced.
Will Vincent 8:19
Yeah. So appreciate for what it is. And don't try to make it when it's not. But let's, let's do some specifics. When you're working with the admin, it has search. Actually, if you go into source code, that's an interesting place, you can see a basic search implementation
Carlton Gibson 8:31
worked, right. What would you say go into source go in source and have a look. So it's got filters, right? So that you can have filters down the side which may be filtered by models. It's a great source of like, Oh, they had here's how I didn't implement a filter.
Will Vincent 8:43
Now I look. I look there for inspiration. For sure. Yeah. Well, it also there are things you can do around speeding up the admin. So just into Kelly, who I think will have on as a guest soon, who's the CTO of doctrine demand gave a talk at pi con i attended talking about ways to speed up the admin because if you Have a big, big project, you're going to be waiting on your admin. And that's the thing where you got a case where you go, Well, is it the admin? Is it my queries, often it's your queries. But it can, can is used in very powerful ways when you have massive, massive data sets. And there's a whole bunch of talks to if you look at past Jango, Khan pythons about customizing the admin so actually one thing I want to ask you Carlton is so there's an option to do an admin documentation generator that I have never done myself. Yeah. What's the what's the use case for that? It sounds nice but at the fact that I haven't heard about it makes me think maybe it's not widely used? No,
Carlton Gibson 9:37
I don't think it is widely use. I have to like Okay, so I've half played with this years ago, didn't really get very far with it and never looked at it again. And every so often, every, every six months, I go to the docks, I'm not Oh, yeah, having docks, I should really take the time to work that out. I think that's quite powerful. So that will create from your source code, kind of browsable reference documentation, which that sounds brilliant with a lot. You've got to do is in specially
Will Vincent 10:00
when you're dealing with Django rest framework where that, you know, a big part of what you're doing is the automated documentation and and, you know, while you're overseeing the switch, you know
Carlton Gibson 10:10
what I mean? It's like your your, your, your classes. So you like Python classes, your model classes, your your view classes, you get some API like reference API documentation. I don't mean like API in terms of something that another computer would call over remote service. Now, that kind of API mean, API is in the software API as in what your program Right, right. Internal. Yeah.
Will Vincent 10:31
It's a good distinction to make. Yeah. So you also are aware of it, but not I haven't heard of someone going nuts with it. No
Carlton Gibson 10:39
way. He's on my list of something where I think oh, I really should check that out. Because it's kind of there. And it's, it's I suspect, it's quite useful. But I To be honest, in all my time, I've never really looked at it more than half a thing where I didn't know what I was doing. I didn't get it working very well. I never tried to get past I'll try getting
Will Vincent 10:56
a connection. That's Yeah, that applies to so many things. So one One thing we should mention is hardening the admin. So there's, there's articles on this will link to a couple, but there are some, it is a security concern, because so here's a number of things you should do. And actually, Andrew Pinkham, who wrote Django unleashed, someone I talked with at length about the admin, he actually just removed it entirely on new projects. Now he's knows what he's doing. So I'm not sure if I recommend that approach. But to deal with the security things, he doesn't even use the admin at all. He's pure Django shell, he's hardcore. What I would suggest regular people do is, in order at a minimum, change the URL, so go in, go into the path, don't have it be slash admin, because people can and will search and try to force their way into your Django project. You can make it use even more powerful passwords. There's a number of ways and third party path packages to force, greater level of password protection. You can do two factor auth you can get have fun with it. In use Django admin honeypot, which is a third party package, which will let you track and see who is trying to get into slash admin on your site. Of course, you should use SSL. That's really the basics. The top thing is don't have it. It's slash admin, you know, take take a second, and don't have it slash admin. Before you put it out in the wild, the thing I know you want to add to that, yeah,
Carlton Gibson 12:21
well, the thing I do is I make I configure my reverse proxy. So normally, I use nginx. And I configure it to only allow access to the admin from localhost or from one to 700 from the loopback address, and then I and then I use, that's a good idea. And then I use an SSH tunnel to tunnel into my server. And so that I can access the admin so you don't have to have SSH access to the server. And then you can only you access the the admin via a, an SSH tunnel, and it means essentially the only people who can access See admin are those with SSH access to the server.
Will Vincent 13:03
So I do that ran, I ran into that. Yeah, that wouldn't work in like a newspaper context, if you're using the Oh, no, but then
Carlton Gibson 13:09
that what might work in that context is doing it something like something like via an intranet, so you only have access from a host, which is exposed on the internet. So, you know, presumably, people use VPNs, not only. So you might have to VPN into the like, the, the internal network, and then you can access the the admin from there, but some kind of network level controls where it's, I can you know, the the the SSH tunnel example. It's not very complicated. If you nag me, I can put that into adjust or something.
Will Vincent 13:40
Yeah, I mean, the point is, is on a large app, you need to think about security and the Advent is is one of those. But fundamentally, it shouldn't feel that hard. You know, you should basically you should add it for all your apps, do a little bit of customization, you can control the layout. When you're really fighting with it. Take a moment to think about whether you should try to force The admin to do it versus just create your own. Yeah, just like that would be the quick takeaway, but you should use it. And again, yeah, and don't feel bad about using it versus the Django shell. I mean, you and I both prefer and predominantly use it. So don't feel like you're not a real good developer, because you use the admin
Carlton Gibson 14:14
but like, you know, you can't like I don't know, let's say you've created a blog post out, right, and you're writing your blog, but you can't write your blog post in the chat.
Will Vincent 14:21
Well, you could.
Carlton Gibson 14:22
Yeah, I know. I mean, there are people who could. I couldn't
Will Vincent 14:25
Yeah, well, why bother? Yeah. All right. Well, so this I think that's really it. This was meant to be a short episode because we get this question a lot. And I think there's just confusion around it and people fighting with it and kind of wondering what's, what's the lay of the land among Java developers on how to use it, but it's good. That's the quick take, you should use it. It's a fantastic features, okay, use other frameworks, you're gonna go Where is the admin because it's really nice.
Carlton Gibson 14:48
One thing I do is like say I'm I have no idea how my models gonna look Finally, but I've got two or three fields, which I'm sure of, okay. Let me create the two or three fields, create the admin start. playing with it locally creating some records starting adding the right kind of data. And then then I can start creating a couple of views around that and see. And then Oh, look, I'm missing a field. And so I can write a migration to add the field. And then I can add a few more records in this admin. And it enables me to kind of iteratively develop my model and my views and the API that will wrap around those. And even if I'm not going to use the admin in production, it's a nice development tool as I'm going along. And for me, I just love it. I love it.
Will Vincent 15:26
Yeah. And that's the other thing too, is that most people start with the models. And you can spend quite a bit of time on that. And to have a graphical way to look at them. And play with them is nice, because, you know, I always view it as that's, that's sort of like the top of the waterfall and then the views and the templates and URLs that kind of that just naturally flows from the models. But you have to get your models right first and I do the same thing. I'll, I'll play around with the models and figure out the relationships in the admin for quite a while before I do all the rest of it, because that's really the backbone of any project. Yeah.
Carlton Gibson 15:56
And you don't have to deploy this stuff to a web application. If you need a little nudge. Taking out some project you can work on, you can just create a start app stop start projects that app. You know, my project, I'm working on quick model by my bam, quick admin. And there you are, you've got little admin UI that took you 20 minutes to put together.
Will Vincent 16:14
Yeah. Now we're
Carlton Gibson 16:16
an Excel spreadsheet, right? Where you're trying to insert data in a spreadsheet.
Will Vincent 16:20
Yeah, when I teach, you know, I start with, let's just do the models in the admin. And it's there. And then we'll get to, as I said, the views the URLs in the templates, because internalizing that takes a while, but it really is all all about the models. If you ask any. Again, another point, if you ask any professional developer thinking about a project, the first thing I'm thinking about is I'm trying to whiteboard what the model structure is, because that's the heart of everything. And at some point, actually, I'd like to do a video series and just whiteboard how almost every website is the same. Facebook, Twitter, Pinterest, Instagram, they all are crud with auth and a foreign key and either a one to many or many to many And you can certainly prototype them entirely with that. Yeah, I mean, going through and just saying, Give me a website, give me a complicated website. I'm going to show you how it's fits into that pattern 99% of the time, that's another great learning approach to people trying to internalize and get wrapped their head around the structure of web apps.
Carlton Gibson 17:20
Yeah. And then being able to wrap a GUI around that in five seconds is useful. Yeah,
Will Vincent 17:25
yeah. So all right, gentlemen, we will be back. We'll be back with future episodes. And as ever, if you have feedback, you can reach us at Jango chat calm. We're on twitter at chat chango and we'll see you next time. Bye, girl. Bye.