Opened 2 years ago

Closed 21 months ago

Last modified 8 months ago

#21648 closed Cleanup/optimization (fixed)

Deprecate "is_admin_site" option of auth.views.password_reset()

Reported by: brain@… Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no



Here the option "is_admin_site" is not documented and its name doesn't describe what it is doing.

According to and it uses the host of the request instead of the site framework, therefor it should be name something like "use_domain_from_request".

Kind regards,

Change History (11)

comment:1 Changed 2 years ago by timo

  • Easy pickings unset
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

Yes, it seems poorly named, but I'm not sure it's worth renaming due to backwards compatibility concerns at this point. The parameter was added in the merge of magic-removal pre-1.0, but the functionality didn't appear to be used or tested until [9305c0e1].

comment:2 Changed 2 years ago by claudep

Is the use case for that parameter still accurate? Shouldn't we deprecate it?

comment:3 Changed 22 months ago by timgraham

  • Component changed from Documentation to contrib.auth
  • Has patch set
  • Summary changed from the "is_admin_site" option of password_reset is undocumented and the name ambiguous to Deprecate "is_admin_site" option of auth.views.password_reset()
  • Type changed from Bug to Cleanup/optimization
  • Version changed from 1.6 to master

Deprecation looks reasonable to me. I couldn't find a use case for it because if contrib.sites isn't installed, contrib.sites.requests.RequestSite (via get_current_site() in PasswordResetForm) uses request.get_host() as well.


comment:4 Changed 21 months ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from new to closed

In e39af5ea592bbe4e7a643e67f0c379adc10ed392:

Fixed #21648 -- Deprecated is_admin_site option to auth.views.password_reset().

comment:5 Changed 21 months ago by googol7

A use case is if you are using just one Django instance (=> only one => only one settings.SITE_ID) and you want to use django CMS (which relies on django.contrib.sites) to host a website on xyz.domain.tld and you have several subdomains abc.domain.tld, xyz.domain.tld, etc. which do not use django CMS but only provide a (branded) login where users can also click the "forgot password" link and in the resulting email the referring URL (e.g. xyz.domain.tld) should be used.

django CMS:


from django.contrib.sites.models import Site
site = models.ForeignKey(Site, help_text=_('The site the page is accessible at.'), verbose_name=_("site"))
site (django.contrib.sites.models.Site instance) – Site to put this page on
Be sure to have 'django.contrib.sites' in INSTALLED_APPS and set SITE_ID parameter in your settings: they may be missing from the settings file generated by django-admin depending on your Django version and project template.

Last edited 21 months ago by googol7 (previous) (diff)

comment:6 Changed 21 months ago by timgraham

Do you have each subdomain setup as a site?

comment:7 Changed 21 months ago by googol7

No I've got:

  • One Django instance with one which contains SITE_ID = 1
  • Django CMS installed and INSTALLED_APPS containing django.contrib.sites The django CMS pages are only rendered for www.domain.tld
  • Several subdomains pointing to the same Django instance. nginx is redirecting / to /admin on these subdomains as we only allow login and password reset but do not display any django CMS content there: abc.domain.tld, def.domain.tld, ghi.domain.tld, jkl.domain.tld
  • In the templates I use a templatetag which returns different configurations (CSS, etc.) for the subdomains in use based on the host: host = context['request'].get_host()

I could remove the single sites object in the database and then password_reset would return RequestSite(request).domain instead of Site.objects.get_current().domain but the sites object in the database is used at other places in the code. So this is not an option. I will get rid of django CMS in this Django instance in the near future so I will be able to remove django.contrib.sites from INSTALLED_APPS - but that will just be a solution for me at that point in time.

Last edited 21 months ago by googol7 (previous) (diff)

comment:8 Changed 21 months ago by timgraham

Thanks for the details. Do you think removing the option isn't acceptable then? Any sense whether this sort of setup is common? Would updating your site to use the sites framework be too much work?

comment:9 Changed 21 months ago by googol7

Good question. I think that updating to the sites framework would be a lot of overhead for us as we just provide a branded site based on the URL. I don't know if this is a common setup but probably it's worth thinking about why the domain defined for a site shall be used for the password reset link in the email and if it would be sufficient to just use request.get_host()

Last edited 20 months ago by googol7 (previous) (diff)

comment:10 Changed 20 months ago by timgraham

It looks like #15089 would address these concerns, so I will try to move that ticket forward.

comment:11 Changed 8 months ago by Tim Graham <timograham@…>

In f1761e3:

Refs #21648 -- Removed is_admin_site option from password_reset() view.

Per deprecation timeline.

Note: See TracTickets for help on using tickets.
Back to Top