After implementing DRF authtoken app, I deleted my previous superuser (because it did not have an auth token) and created a new one. Looking at the database, I see that the new superuser has an entry in authtoken_token table. It also has is_admin, is_staff, and is_superuser set to True. is_active is set to False but this was also set to False in the previous superuser and loging in to admin was not a problem.
When I enter credentials in admin page with is_active=False, it says:
"Please enter the correct email and password for a staff account. Note that both fields may be case-sensitive."
Before setting is_active=True, some answers from other SO questions I tried:
These steps did not change anything. Then I set is_active=True for the new superuser, and I was finally able to login. But why? Before DRF token authentication, my inactive superuser could login to admin. Now, it cannot, it should be active to login. What does this have to do with token authentication? (So my problem is solved, but I'm wondering how django and drf works behind the doors.)
You can take a look a the class TokenAuthentication (which inherit from BaseAuthentication) in the file rest_framework/authentication.py.
Here you will find the method :
def authenticate_credentials(self, key):
model = self.get_model()
try:
token = model.objects.select_related('user').get(key=key)
except model.DoesNotExist:
raise exceptions.AuthenticationFailed(_('Invalid token.'))
if not token.user.is_active:
raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))
return (token.user, token)
As you can say, there is a protection on token.user.is_active to forbid the connexion. Thus your problem on admin !
You can then ask "Why this system ?" Because thanks to that, when you delete a user, you just need to put is_active to False, no need to delete it (if you have FK link to the user with on_delete=models.CASCADE, it could have some unwanted consequences).