Why I can't delete OutstandingToken via django-admin

[wwarne]

I'm using Blacklist app and if I try to delete one of my users I get the error message

Deleting the selected user would result in deleting related objects, but your account doesn't have permission to delete the folowing types of objects: - outstanding token

The OutstandingTokenAdmin's has_delete_permission method always returns False. So even admin user with superuser status can't delete this.

Is there a reason to forbid deletion of OutstandingTokens?

It's strange but I'm new to all this jwt stuff and maybe I miss something.

[smb-h]

Superuser account doesn't have permission to delete the outstanding token
any solution?

[Roejkum]

Also facing this issue. Are there any ways around this? I am unable to delete users currently because of this.

[wwarne]

Also facing this issue. Are there any ways around this? I am unable to delete users currently because of this.

I had used python manage.py shell and then deleted tokens by hand

from rest_framework_simplejwt.token_blacklist.models import OutstandingToken
OutstandingToken.objects.filter(user__email='email@example.com').delete()

[Andrew-Chen-Wang]

Check the admin code here: https://github.com/SimpleJWT/django-rest-framework-simplejwt/blob/master/rest_framework_simplejwt/token_blacklist/admin.py#L30-L43 If you would like to delete the OutstandingTokens, re-register the models in your own app.

Some companies like having an app called "core" which is for all background, non-essential, etc. stuff. You can register there. @wwarne Mind trying it out?

Edit: Just for an explanation, the has_delete_permission is set False for ALL users.

[mjlabe]

It worked. I created a new app core like you recommended and created a new admin file:

from django.contrib import admin
from rest_framework_simplejwt.token_blacklist.admin import OutstandingTokenAdmin
from rest_framework_simplejwt.token_blacklist.models import OutstandingToken


class CustomOutstandingTokenAdmin(OutstandingTokenAdmin):
    def has_delete_permission(self, *args, **kwargs):
        return True


admin.site.unregister(OutstandingToken)
admin.site.register(OutstandingToken, CustomOutstandingTokenAdmin)

Thanks!

Is there a reason it is set to False that I should be concerned with when I change it? Should be blacklist the token before deleting it (if using blacklist)?

[mjlabe]

Ok. I realized there is a problem with this (which is why deleting was likely blocked). This also deletes the blacklisted tokens, essentially undoing blacklist. I'm trying to think of a solutions, but since it is a 1:1 relationship, I'm not sure what can be done.

Could we change:

class OutstandingToken(models.Model):
    user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.CASCADE, null=True, blank=True)

to

class OutstandingToken(models.Model):
    user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.SET_NULL, null=True, blank=True)

Would that prevent the Outstanding Token from ever being deleted?

[mjlabe]

After looking at the flush script, it doesn't seem like that would effect them getting flushed. Would there be any other negative? If not, I'll create a PR with those changes.

[mjlabe]

Created PR #237. Will that work for everyone? Can you try it out?

[hcgaron]

Status on this? I can't delete users still, even though I've given permissions via django admin to the superuser account to delete outstanding tokens.

Oddly enough, sometimes I can delete users... I guess if they have no outstanding tokens? Can't reproduce that behavior.

[mjlabe]

Correct. If they don't have outstanding tokens, you can delete them. This PR will require a migration since it is a FK.

[Andrew-Chen-Wang]

@hcgaron Refer to the code mjlabe wrote here: #201 (comment) and assign it to users who have the attribute is_superuser to True.

Closing for now. I think if you want to do this, you can with that piece of code above, but it's best if left as is for now. I'll leave the PR open for any further discussion.

[mjlabe]

My solution above won't work if there are outstanding tokens. The only way to resolve this is the change the model (#237). Is there a reason not to allow null user for outstanding token?

class OutstandingToken(models.Model):
    user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.SET_NULL, null=True, blank=True)

[Andrew-Chen-Wang]

I had just talked about this at #193 but the gist of it is if a user is deleted. @mjlabe