-
Notifications
You must be signed in to change notification settings - Fork 655
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why I can't delete OutstandingToken via django-admin #201
Comments
Superuser account doesn't have permission to delete the outstanding token |
Also facing this issue. Are there any ways around this? I am unable to delete users currently because of this. |
I had used from rest_framework_simplejwt.token_blacklist.models import OutstandingToken
OutstandingToken.objects.filter(user__email='email@example.com').delete() |
Check the admin code here: https://github.com/SimpleJWT/django-rest-framework-simplejwt/blob/master/rest_framework_simplejwt/token_blacklist/admin.py#L30-L43 If you would like to delete the OutstandingTokens, re-register the models in your own app. Some companies like having an app called "core" which is for all background, non-essential, etc. stuff. You can register there. @wwarne Mind trying it out? Edit: Just for an explanation, the |
It worked. I created a new app
Thanks! Is there a reason it is set to False that I should be concerned with when I change it? Should be blacklist the token before deleting it (if using blacklist)? |
Ok. I realized there is a problem with this (which is why deleting was likely blocked). This also deletes the blacklisted tokens, essentially undoing blacklist. I'm trying to think of a solutions, but since it is a 1:1 relationship, I'm not sure what can be done. Could we change:
to
Would that prevent the Outstanding Token from ever being deleted? |
After looking at the flush script, it doesn't seem like that would effect them getting flushed. Would there be any other negative? If not, I'll create a PR with those changes. |
Created PR #237. Will that work for everyone? Can you try it out? |
Status on this? I can't delete users still, even though I've given permissions via django admin to the superuser account to delete outstanding tokens. Oddly enough, sometimes I can delete users... I guess if they have no outstanding tokens? Can't reproduce that behavior. |
Correct. If they don't have outstanding tokens, you can delete them. This PR will require a migration since it is a FK. |
@hcgaron Refer to the code mjlabe wrote here: #201 (comment) and assign it to users who have the attribute is_superuser to True. Closing for now. I think if you want to do this, you can with that piece of code above, but it's best if left as is for now. I'll leave the PR open for any further discussion. |
My solution above won't work if there are outstanding tokens. The only way to resolve this is the change the model (#237). Is there a reason not to allow null user for outstanding token?
|
I'm using Blacklist app and if I try to delete one of my users I get the error message
The OutstandingTokenAdmin's
has_delete_permission
method always returns False. So even admin user with superuser status can't delete this.Is there a reason to forbid deletion of OutstandingTokens?
It's strange but I'm new to all this jwt stuff and maybe I miss something.
The text was updated successfully, but these errors were encountered: