📦
jeanmarcos/module-admin-bypass— published to Packagist.🏠 Source repository for issues, PRs and releases: jeanmarcos-dev/magento-local-development. The standalone
jeanmarcos-dev/module-admin-bypassrepo is a read-only mirror auto-generated by CI on every release — direct commits to it are overwritten.
⚠️ FOR LOCAL DEVELOPMENT ONLY — NEVER ENABLE IN PRODUCTION
Bypasses Magento 2 admin authentication and auto-logs in a hardcoded development user (local / local123) whenever the admin login page is visited.
BypassAdminAuthentication(pluginaroundonMagento\User\Model\User::verifyIdentity) — accepts any password for any existing admin user.AdminAutologin(pluginaroundonMagento\Backend\Controller\Adminhtml\Auth\Login::execute) — when/adminis visited and nobody is logged in, creates the admin userlocal(passwordlocal123, emailjohn.smith@gmail.com, roleAdministrators) if missing and authenticates as that user. Redirects to*/dashboard.
This module is guarded by Magento's application mode:
| Mode | Allow in Production flag |
Behavior |
|---|---|---|
developer / default |
any | active — bypass and autologin work |
production |
No (default) |
inactive — Magento behaves normally, no user is created |
production |
Yes |
active — explicit override (use at your own risk) |
The guard is implemented in Development_Core (Development\Core\Model\ProductionGuard::isEnabled()) and wired into every plugin via a virtualType in etc/di.xml that binds it to the config path development/admin_bypass/allow_in_production. In production + flag off, the plugins short-circuit with $proceed(...) and do not create the local user nor touch authentication.
Panel path: Stores → Configuration → ⚠ Development Modules → Admin Bypass → General → Allow in Production
- Default:
No. - Changing this flag requires
bin/magento cache:clean configto take effect.
composer require --dev jeanmarcos/module-admin-bypass
bin/magento module:enable Development_AdminBypass
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento cache:flushbin/magento module:disable Development_AdminBypass
bin/magento setup:upgrade
bin/magento cache:flushThe disable path is the last line of defense — it removes the module entirely regardless of the allow_in_production flag.
For permanent removal:
composer remove jeanmarcos/module-admin-bypass- Anyone who can reach
/admingains fullAdministratorsaccess when the bypass is active. No password needed. - The hardcoded
local/local123admin user persists in the database once created, even after disabling the module. - Credentials are in plain text in
Plugin/AdminAutologin.phpand are searchable in git history.
After disabling the module in a shared environment, consider deleting the local admin user manually:
DELETE FROM admin_user WHERE username = 'local';AdminBypass/
├── Plugin/
│ ├── AdminAutologin.php # autologin around plugin
│ └── BypassAdminAuthentication.php # password bypass around plugin
├── etc/
│ ├── acl.xml # ACL for the config section
│ ├── adminhtml/
│ │ └── system.xml # admin panel toggle
│ ├── config.xml # default values
│ ├── di.xml # plugin wiring + ProductionGuard virtualType
│ └── module.xml # module declaration (depends on Development_Core)
├── composer.json
├── registration.php
└── README.md
The production-guard helper lives in the shared core package
jeanmarcos/module-core-local-development.
- Toggle doesn't take effect:
bin/magento cache:clean config. - Bypass still works after
module:disable: checkapp/etc/config.phpfor the module entry; runsetup:upgrade. - Autologin loops: another plugin on
Login::executemay be conflicting; inspectgenerated/code/Magento/Backend/Controller/Adminhtml/Auth/Login/Interceptor.php.
- Magento 2.4.x
- PHP 8.1+ (uses constructor property promotion and
readonlyproperties) - Depends on
jeanmarcos/module-core-local-development(installed automatically by Composer).
MIT