Home/ Questions/Q 616865
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T18:22:21+00:00

I’m creating a multiple-tenant application that won’t use any of the standard Django Admin

  • 0

I’m creating a multiple-tenant application that won’t use any of the standard Django Admin (except for internal use which will have access to all tenants… that’s simple enough). I’m trying to create an authorization system of my own and I’m not interested in using the standard User model (or any built-in application’s model). My application will have accounts, and each account will have administrators (had to use Administrator vs User for name-clash purposes). Those users will authenticate using my own completely custom system. Is this all wrong. Should/Can I still use Django’s auth system in a multi-tennant situation which uses my own custom interface (like mentioned before I won’t be allowing account holders to use the default Admin interface). Is there security implications in using my own system or do Django’s standard security elements like session hijacking prevention protect me?

It seems to me that a lot of Django is built around the idea of using the Admin interface and not building multi-tenant SAAS software with your own Admin. Am I thinking of this all wrong?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You definitely should use Django auth system, it still does 90% of what you need.

    I’ve built what looks exactly like your scenarion in one project: corporate accounts, each with admin user and multiple regular users.

    Here’s model structure I used:

    class Account(models.Model): # represents copporate customer
    admin = models.ForeignKey(User)
    # other fields ...

class UserProfile(models.Model):
    user = models.ForeignKey(User)
    account = models.ForeignKey(Account)

    And some examples of enforcing authorization requirements on view level with custom decorators:

    @account_access_required # request.user.get_profile().account == account
def account_page(request, account_id):
    # ...

@account_admin_required # request.user == account.admin
def account_users(request, account_id):
    # ...

    We actually used subdomains for accounts, so there was no need for explicit account_id parameter.

    It is very reasonable to use custom interface for account admins. Django admin interface is only intended for 100%-trusted users like system admininstators and internal support staff.

    • 0