How the Django admin handles unauthenticated users has changed in 1.7:

https://docs.djangoproject.com/en/dev/releases/1.7/#admin-login-redirection-strategy

Currently, DAH emulates the pre-1.7 pattern of displaying the admin login form on whatever the /admin/ URL is. Should DAH only emulate pre-1.7, or do we add additional view(s) to make DAH properly emulate both pre-1.7 and 1.7+?

How important is it to make DAH work the "right way" for the installed version of Django? If an attacker somehow knows that a site uses Django 1.7, but sees the pre-1.7 login functionality, they're likely to determine that this is not the correct admin URL and may keep looking for it elsewhere.

Considering that DAH ultimately falls into the "security through obscurity" category, is it even worth the effort to implement? It's possible to make the case that DAH only needs to look roughly like an admin login page, not necessarily emulate it exactly in every way.

In my production environment, when I open /admin which is configured for honeypot, I enter an email and a password and I get a server error 500, but the attempt is logged in the DB. Any clue?

Hi,

As per Django 4.0

django.utils.translation.ugettext(), ugettext_lazy(), ugettext_noop(), ungettext(), and ungettext_lazy() are removed.

Here is the error:

...
File "/somepath/lib/python3.10/site-packages/admin_honeypot/models.py", line 2, in <module>
    from django.utils.translation import ugettext_lazy as _
ImportError: cannot import name 'ugettext_lazy' from 'django.utils.translation' (/somepath/lib/python3.10/site-packages/django/utils/translation/__init__.py)

Related to #83

Does anyone has an updated version of this since this hasn't been updated for sometime?

Environment:

Request Method: POST
Request URL: http://www.thecolornet.com/admin/login/?next=/admin/

Django Version: 1.9.5
Python Version: 3.4.3
Installed Applications:
('django.contrib.admin',
'django.contrib.sites',
'registration',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'admin_honeypot',
'markdown_deux',
'pagedown',
'rest_framework',
'custom_user',
'imagekit',
'crispy_forms',
'storages',
'newsletter',
'comments',
'blog',
'ajaxsearch')
Installed Middleware:
('django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.security.SecurityMiddleware')

Traceback:

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/backends/utils.py" in execute

1.             return self.cursor.execute(sql, params)
   

The above exception (invalid input syntax for type inet: "b''"
LINE 1: ...p", "path") VALUES ('[email protected]', 'b'''''::i...
^
) was the direct cause of the following exception:

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/core/handlers/base.py" in get_response

1.                 response = self.process_exception_by_middleware(e, request)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/core/handlers/base.py" in get_response

1.                 response = wrapped_callback(request, _callback_args, *_callback_kwargs)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/views/generic/base.py" in view

1.         return self.dispatch(request, _args, *_kwargs)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/admin_honeypot/views.py" in dispatch

1.     return super(AdminHoneypot, self).dispatch(request, _args, *_kwargs)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/views/generic/base.py" in dispatch

1.     return handler(request, _args, *_kwargs)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/views/generic/edit.py" in post

1.         return self.form_invalid(form)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/admin_honeypot/views.py" in form_invalid

1.         path=self.request.get_full_path(),
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/manager.py" in manager_method

1.             return getattr(self.get_queryset(), name)(_args, *_kwargs)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/query.py" in create

1.     obj.save(force_insert=True, using=self.db)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/base.py" in save

1.                    force_update=force_update, update_fields=update_fields)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/base.py" in save_base

1.         updated = self._save_table(raw, cls, force_insert, force_update, using, update_fields)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/base.py" in _save_table

1.         result = self._do_insert(cls._base_manager, using, fields, update_pk, raw)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/base.py" in _do_insert

1.                            using=using, raw=raw)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/manager.py" in manager_method

1.             return getattr(self.get_queryset(), name)(_args, *_kwargs)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/query.py" in _insert

1.     return query.get_compiler(using=using).execute_sql(return_id)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/sql/compiler.py" in execute_sql

1.             cursor.execute(sql, params)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/backends/utils.py" in execute

1.         return super(CursorDebugWrapper, self).execute(sql, params)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/backends/utils.py" in execute

1.             return self.cursor.execute(sql, params)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/utils.py" in exit

1.             six.reraise(dj_exc_type, dj_exc_value, traceback)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/utils/six.py" in reraise

1.         raise value.with_traceback(tb)
   

File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/backends/utils.py" in execute

1.             return self.cursor.execute(sql, params)
   

Exception Type: DataError at /admin/login/
Exception Value: invalid input syntax for type inet: "b''"
LINE 1: ...p", "path") VALUES ('[email protected]', 'b'''''::i...
^

It seems as the Django sites framework has to be enabled to use this app. Is this requirement missing in the docs? Would be great to have a version without this dependency or at least make the dependency optional. If it makes sense to you I could provide a pull request.

Locally I was able to edit the urls.py in the /site-packages/ locally to include the tag to app_name
I can't get it to work when I'm deploying heroku

any help is appreciated

Lately there is not much activity in this repo anymore.
Some pull requests do not seem to get merged #88 and there is no up-to-date PyPI release #93.
Should we propose the project as a candidate for jazzband?

@dmpayton what do you think about it?

Recently, was release 1.1.0 and it would be nice in future to have this file with release notes.
Or just add release notes at release tab: https://github.com/dmpayton/django-admin-honeypot/releases

Hello all 👋.

I've been using a forked version of this in an app running on Google App Engine. It has a custom runtime specfied by a Dockerfile. Every login attempt at the honeypot site is said to originate from 172.17.0.6, which seems to be an infrastructure-related IP, rather than the user's IP.

The changes I made in the forked version shouldn't be a factor, so I was wondering if anyone had any thoughts?

I got error "cannot import name ERROR_MESSAGE" on django 1.7
this error is located in forms.py line
from django.contrib.admin.forms import AdminAuthenticationForm, ERROR_MESSAGE

ModuleNotFoundError: No module named 'django.core.urlresolvers'

Something like the following in LoginAttemptAdmin should fix this.

def get_actions(self, request):
    actions = super(LoginAttemptAdmin, self).get_actions(request)
    del actions['delete_selected']
    return actions

ugettext_lazy its depricated in django 3 + please update the latest release that support django 4+

Noticed some other issues and pull requests on this package regarding IP address and tracking locations.

You might be able to ignore the encryption/decryption if your linux server is secured.

Although these are great ideas and helpful for security, IP address falls under GDPR / PII laws and just keeping this tracked in the database somewhere violates these laws. To resolve this, encrypting the IP address is needed or simply do not track it at all (give users the option to do it with a setting rather than doing it by default). Decrypting this would be needed for site administrators to do something specific with a suspicious hacker IP address.

The django-fernet-fields package encrypts and decrypts fields with the SECRET_KEY in settings. Others like django-pgcrypto-fields use the postgres pgcrypto extension to encrypt the field and users could decrypt it with a database query. It would be nice for this package to have this built in without needing to rely on these other packages and overriding the app.

You need to be able to get the real IP address of the client even if the server is behind cloudflare or a load balancer. You don't want to block people if they are behind the same cloudflare IP address then everyone on your site will be blocked/rate limited which is bad. There is also the issue of IP spoofing where a malicious user could fake their IP address.

These are just some ideas. Looking forward to hearing what everyone else thinks.

Depreciation warning from Django 3.1+:
I suggest replacing all calls to ugettext() with gettext()

admin_honeypot\views.py:38: 
RemovedInDjango40Warning: django.utils.translation.ugettext() is deprecated in favor of django.utils.translation.gettext().
'title': _('Log in'),

is this package compatible with django 3.x?

Currently, the template used for rendering the view is the same as real admin login (/admin/login.html)

This results in the following:

• The attacker can learn the real url of the admin by looking at the code, and seeing the path for the static files.
• The attacker can learn that this is a Django site, at least.

I suggest that either a separate login template is provided, or at least someway for the library user to provide that template.

This is on Django 1.6:

File "virtualenvs/xxxxxx/local/lib/python2.7/site-packages/admin_honeypot/migrations/0001_initial.py", line 4, in
from django.db import models, migrations
ImportError: cannot import name migrations

Version 0.3.0 works on Django 1.6, but no longer seems to be on the python package index.

reverse() should be imported from django.urls now or you'll get the following:

File "/home/jens/virtualenvs/licensing/lib/python3.6/site-packages/admin_honeypot/models.py", line 3, in <module>
    from admin_honeypot import listeners
  File "/home/jens/virtualenvs/licensing/lib/python3.6/site-packages/admin_honeypot/listeners.py", line 4, in <module>
    from django.core.urlresolvers import reverse
ModuleNotFoundError: No module named 'django.core.urlresolvers'

If I am using Django-admin-honeypot then how can admin can login into the admin page. As we are trying this in the production environment then it will be difficult to change the code every time to make changes from the admin page.

I see that develop has been compatible with Django 4.0 since december 2021 but, to this day, there has been no release on PyPI and this dependency may be preventing projects from migrating to Django>=4

I have Django Admin up and running and I have append settings.py and urls.py accordingly:

However after running the migration command I received the following:

The notify_admins function in listeners.py begins with this line:

    path = reverse('admin:admin_honeypot_loginattempt_change', args=(instance.pk,))

That URL does not exist, so I'm getting spammed with error emails saying:

NoReverseMatch at /admin/login/
Reverse for 'admin_honeypot_loginattempt_change' not found. 'admin_honeypot_loginattempt_change' is not a valid view function or pattern name.

Hi all,

I find it kind of crazy that this library has no built in way to pull IP addresses from anything other than REMOTE_ADDR. On AWS, this is always the IP of my load balancer and it makes it completely useless.

I know I can add a middleware, but why can't we be better than this? django-axes (https://github.com/jazzband/django-axes) handles this really nicely by using django-ipware(https://github.com/un33k/django-ipware) to get the IP and allowing us to configure the ipware precedence order: https://django-axes.readthedocs.io/en/latest/4_configuration.html#configuring-reverse-proxies

Can we do something similar here?

Running ./manage.py check on django/master yields the following:

WARNINGS:
admin_honeypot.LoginAttempt.ip_address: (fields.W900) IPAddressField has been deprecated. Support for it (except in historical migrations) will be removed in Django 1.9.
HINT: Use GenericIPAddressField instead.

Not urgent, but worth considering, IMO.

I recently updated to Django 1.9 and it throws this warning:

admin_honeypot\urls.py:19: RemovedInDjango110Warning: django.conf.urls.patterns() is deprecated and will be removed in Django 1.10. Update your urlpatterns to be a list of django.conf.urls.url() instances instead.
url(r'^.*$', views.AdminHoneypot.as_view(), name='index'),

I had to change ip_address to GenericIPAddressField just to get my server to run, and once it was running I got the warning above.

It seems that not all migrations are updated in the package. I get these messages:

On make_migrations:

docker-compose -f local.yml run --rm django python manage.py makemigrations
Creating backend_django_run ... done
PostgreSQL is available
Migrations for 'admin_honeypot':
  /usr/local/lib/python3.8/site-packages/admin_honeypot/migrations/0003_alter_loginattempt_id.py
    - Alter field id on loginattempt

On makemigrations (in my case with django-tenants this is: migrate_schemas):

Creating backend_django_run ... done
PostgreSQL is available
[standard:public] === Starting migration
[standard:public] Operations to perform:
[standard:public]   Apply all migrations: account_profiles, accounts, admin, admin_honeypot, ...
[standard:public] Running migrations:
[standard:public]   No migrations to apply.
[standard:public]   Your models in app(s): 'admin_honeypot' have changes that are not yet reflected in a migration, and so won't be applied.
[standard:public]   Run 'manage.py makemigrations' to make new migrations, and then re-run 'manage.py migrate' to apply them.

How to deal with this?

I've changed all ugettext_lazy as _ to gettext_lazy as _ and it working, but I have problem when deploying app on heroku..

from django.utils.translation import ugettext_lazy as _
remote: ImportError: cannot import name 'ugettext_lazy' from 'django.utils.translation' (/app/.heroku/python/lib/python3.10/site-packages/django/utils/translation/init.py)

Rationale:

• It's pointless; they're signed in, they're trusted, their inability to remember the correct URL is their only crime
• Valid admin users can get 'stuck' trying to sign in, even though they are.
• It exposes the real admin URL, but only in a way that is broken, see next point.
• It displays the "Welcome, X ... Change Password / Log out" text, and this cannot be worked around because that text is not contained within a {% block %} in the admin/base.html within the standard contrib module.

Recommended solution:

redirect_conditions = [
    request.user.is_authenticated(),
    request.user.is_active,
    request.user.is_staff,
]
if all(redirect_conditions):
    return redirect(somewhere_else)

Problems:

I cannot think of a way to redirect to the correct admin area, or rather, I can, but only by assuming that the AdminSite being used mounts itself using the admin: namespace, which isn't ideal, though probably is acceptably correct.

Just tried django-admin-honeypot... awesome project! :)

Why is it that a superuser cannot delete login attempts?

Context

I followed the documentation and configured my honeypot url. so that when the user visits /admin, their entries are logged as login attempts in the database.

I ran into template errors after I installed django-fastdev where the following template tags were missing on the admin route: subtitle, site_title, is_popup, and site_header

These are probably missing because I never configured them for my original admin page. There is a ticket about the subtitle being missing in this official Django issue.
https://code.djangoproject.com/ticket/32681

Steps to Reproduce

1 - Follow the doc and get honeypot intercepting /admin requests
2 - Visit /admin route
Admin login page shows as expected
3 - Pip install django-fastdev
4 - Visit /admin route again
Template errors occur

Workaround

I went into the admin_honeypot.views.AdminHoneyPot and added these four variables to get_context_data

    def get_context_data(self, **kwargs):
        context = super(AdminHoneypot, self).get_context_data(**kwargs)
        path = self.request.get_full_path()
        context.update({
            'app_path': path,
            REDIRECT_FIELD_NAME: reverse('admin_honeypot:index'),
            'title': _('Log in'),
            'subtitle': None, # added
            'site_title': None, # added
            'is_popup': None, # added
            'site_header': None # added

        })
        return context

Now when I visit /admin I don't have any more template errors

Environment

django-fastdev 1.7.2
Python 3.9.7
Django 3.2.13

Hi, I have this problem in production mode
DataError: invalid input syntax for type inet: "b''"
LINE 1: ..._agent", "timestamp", "path") VALUES ('jfajardo', 'b'''''::i...
^

File "django/db/backends/utils.py", line 64, in execute
return self.cursor.execute(sql, params)
DataError: invalid input syntax for type inet: "b''"
LINE 1: ..._agent", "timestamp", "path") VALUES ('jfajardo', 'b'''''::i...
^

File "django/core/handlers/exception.py", line 39, in inner
response = get_response(request)
File "django/core/handlers/base.py", line 249, in _legacy_get_response
response = self._get_response(request)
File "django/core/handlers/base.py", line 187, in _get_response
response = self.process_exception_by_middleware(e, request)
File "django/core/handlers/base.py", line 185, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "django/views/generic/base.py", line 68, in view
return self.dispatch(request, *args, **kwargs)
File "admin_honeypot/views.py", line 27, in dispatch
return super(AdminHoneypot, self).dispatch(request, *args, **kwargs)
File "django/views/generic/base.py", line 88, in dispatch
return handler(request, *args, **kwargs)
File "django/views/generic/edit.py", line 185, in post
return self.form_invalid(form)
File "admin_honeypot/views.py", line 51, in form_invalid
path=self.request.get_full_path(),
File "django/db/models/manager.py", line 85, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File "django/db/models/query.py", line 399, in create
obj.save(force_insert=True, using=self.db)
File "django/db/models/base.py", line 796, in save
force_update=force_update, update_fields=update_fields)
File "django/db/models/base.py", line 824, in save_base
updated = self._save_table(raw, cls, force_insert, force_update, using, update_fields)
File "django/db/models/base.py", line 908, in _save_table
result = self._do_insert(cls._base_manager, using, fields, update_pk, raw)
File "django/db/models/base.py", line 947, in _do_insert
using=using, raw=raw)
File "django/db/models/manager.py", line 85, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File "django/db/models/query.py", line 1045, in _insert
return query.get_compiler(using=using).execute_sql(return_id)
File "django/db/models/sql/compiler.py", line 1054, in execute_sql
cursor.execute(sql, params)
File "raven/contrib/django/client.py", line 114, in execute
return real_execute(self, sql, params)
File "django/db/backends/utils.py", line 64, in execute
return self.cursor.execute(sql, params)
File "django/db/utils.py", line 94, in exit
six.reraise(dj_exc_type, dj_exc_value, traceback)
File "django/utils/six.py", line 685, in reraise
raise value.with_traceback(tb)
File "django/db/backends/utils.py", line 64, in execute
return self.cursor.execute(sql, params)

With Django 1.7 in development, and the new Schema migrations merged into the master, it would be cool to make django-admin-honeypot compatible with it.
Any thoughts on that?

This plugin is verry usefull, but why doesn't track the location? as an example by using the GeoIP with pygeoip and track the city, or else...

>>> gi = pygeoip.GeoIP('GeoIPCity.dat')
>>> gi.record_by_addr('64.233.161.99')
{
    'city': u'Mountain View',
    'region_code': u'CA',
    'area_code': 650,
    'time_zone': 'America/Los_Angeles',
    'dma_code': 807,
    'metro_code': 'San Francisco, CA',
    'country_code3': 'USA',
    'latitude': 37.41919999999999,
    'postal_code': u'94043',
    'longitude': -122.0574,
    'country_code': 'US',
    'country_name': 'United States',
    'continent': 'NA'
}
>>> gi.time_zone_by_addr('64.233.161.99')
'America/Los_Angeles'

/home/com/venv/bin/python /com/manage.py runserver 8000 
Watching for file changes with StatReloader
Exception in thread django-main-thread:
Traceback (most recent call last):
  File "/usr/lib/python3.10/threading.py", line 1016, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.10/threading.py", line 953, in run
    self._target(*self._args, **self._kwargs)
  File "/com/venv/lib/python3.10/site-packages/django/utils/autoreload.py", line 64, in wrapper
    fn(*args, **kwargs)
  File "/com/venv/lib/python3.10/site-packages/django/core/management/commands/runserver.py", line 125, in inner_run
    autoreload.raise_last_exception()
  File "/com/venv/lib/python3.10/site-packages/django/utils/autoreload.py", line 87, in raise_last_exception
    raise _exception[1]
  File "/com/venv/lib/python3.10/site-packages/django/core/management/__init__.py", line 398, in execute
    autoreload.check_errors(django.setup)()
  File "/com/venv/lib/python3.10/site-packages/django/utils/autoreload.py", line 64, in wrapper
    fn(*args, **kwargs)
  File "/com/venv/lib/python3.10/site-packages/django/__init__.py", line 24, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/com/venv/lib/python3.10/site-packages/django/apps/registry.py", line 116, in populate
    app_config.import_models()
  File "/com/venv/lib/python3.10/site-packages/django/apps/config.py", line 304, in import_models
    self.models_module = import_module(models_module_name)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/com/venv/lib/python3.10/site-packages/admin_honeypot/models.py", line 2, in <module>
    from django.utils.translation import ugettext_lazy as _
ImportError: cannot import name 'ugettext_lazy' from 'django.utils.translation' (/com/venv/lib/python3.10/site-packages/django/utils/translation/__init__.py)

I am surely use most current versions of dependencies.

Django 4.0.6
django-admin-honeypot 1.1.0

However, I saw some of issues from this repository about this errors and You said like this but It doesn't seem to solved!
Please help

Modern Django could really use this tool. I want to keep it in Two Scoops of Django 3.x!

We've recently started logging missing template variables (similar to: https://docs.djangoproject.com/en/3.0/ref/templates/api/#how-invalid-variables-are-handled). In this process we noticed that the honeypot login page is complaining about three undefined variables:

1. site_title
2. site_header
3. username

Looking at the page visually, it also looked different than the actual Django login page - the title was missing from the honeypot page. After looking at django-admin-honeypot code and tinkering, I think the discrepancy is in views.py - specifically, if I add site_title to the context returned by get_context_data, it solves the issue.

My guess is that Django templates became more and more customizable, the context wasn't updated and so now there is this discrepancy. I wanted to make sure that my understanding of this is correct before submitting a PR.
@dmpayton what do you think? Does it make sense?

(and of course, thanks for the great library!)

My site's at Django 1.6 and I'm using v 0.4.0 of django-admin-honeypot. For some reason, the password field isn't displaying in the admin, nor is it being populated in the database when I test. Any ideas?

With Django 3.2 when

DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'

is set in set then a migration is required for admin_honeypot

Migrations for 'admin_honeypot':
  /usr/local/lib/python3.8/site-packages/admin_honeypot/migrations/0003_alter_loginattempt_id.py
    - Alter field id on loginattempt

This fails due to write permissions (at least in my application)

The relevant documentation is at: https://docs.djangoproject.com/en/3.2/releases/3.2/#customizing-type-of-auto-created-primary-keys

In django celery beat the solution was the following : celery/django-celery-beat@7416e22

While looking at this code I found out that after django1.7 the secret name for the login location was being leaked in the dummy page. After investigating I saw this line in honeypot_html:

<h1 id="site-name"><a href="/secret/">Django administration</a></h1>

This was as a result of what was added to django1.7 in the base_sites.html file located here:

.tox/django17_py34/lib/python3.4/site-packages/django/contrib/admin/templates/admin/base_site.html

has the line:

<h1 id="site-name"><a href="{% url 'admin:index' %}">{{ site_header|default:_('Django administration') }}</a></h1>

which contains the url admin:index. This is where the secret name is leaking. Once admin_honeypot is installed, anyone that uses admin:index in a template will resolve to the secret location and not the dummy location.

I know for the app admin_honeypot this can be easily overloaded for it templates (though not easily the same for all version of django from 1.4 through 1.9). However even if admin_honeypot is installed if another app is using admin:index in its url the secret location will be leaking and an intruder can figure out to correct location.

It is a big ask I think, but is it possible to somehow that when this app is installed, any where admin:index is encountered in any app under that django install be overloaded with the admin_honeypot:index url instead? With the exception of the real admin pages, hosted under the secret name.

Traceback:
File "/opt/local/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/site-packages/django/core/handlers/base.py" in get_response

1.                     response = middleware_method(request, callback, callback_args, callback_kwargs)
   

   File "/Users/dchaplinsky/Projects/foobar/env/src/firepython/firepython/middleware.py" in process_view

2.     return self._profile_wrap(callback)(_args, *_callback_kwargs)
   

   File "/Users/dchaplinsky/Projects/foobar/env/lib/python2.6/site-packages/admin_honeypot/views.py" in admin_honeypot

3. context['form'].is_valid()
   

   File "/opt/local/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/site-packages/django/forms/forms.py" in is_valid

4.     return self.is_bound and not bool(self.errors)
   

   File "/opt/local/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/site-packages/django/forms/forms.py" in _get_errors

5.         self.full_clean()
   

   File "/opt/local/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/site-packages/django/forms/forms.py" in full_clean

6.     self._clean_form()
   

   File "/opt/local/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/site-packages/django/forms/forms.py" in _clean_form

7.         self.cleaned_data = self.clean()
   

   File "/Users/dchaplinsky/Projects/foobar/env/lib/python2.6/site-packages/admin_honeypot/forms.py" in clean

8.         message = _("Your e-mail address is not your username. Try '%s' instead.") % user.username
   

Exception Type: NameError at /admin/
Exception Value: global name 'user' is not defined

Seems like a copy-paste style, and this is effective way to reveal that site admin is using honeypot admin

For example:
<a href="?session_key=None">None</a>
<a href="?path=/admin/login/?next=/admin/">/admin/login/?next=/admin/</a>

Can't install with pip3 or conda.

Traceback (most recent call last):
  File "manage.py", line 21, in <module>
    main()
  File "manage.py", line 17, in main
    execute_from_command_line(sys.argv)
  File "/Users/justin/anaconda3/lib/python3.7/site-packages/django/core/management/__init__.py", line 401, in execute_from_command_line
    utility.execute()
  File "/Users/justin/anaconda3/lib/python3.7/site-packages/django/core/management/__init__.py", line 377, in execute
    django.setup()
  File "/Users/justin/anaconda3/lib/python3.7/site-packages/django/__init__.py", line 24, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/Users/justin/anaconda3/lib/python3.7/site-packages/django/apps/registry.py", line 91, in populate
    app_config = AppConfig.create(entry)
  File "/Users/justin/anaconda3/lib/python3.7/site-packages/django/apps/config.py", line 90, in create
    module = import_module(entry)
  File "/Users/justin/anaconda3/lib/python3.7/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1006, in _gcd_import
  File "<frozen importlib._bootstrap>", line 983, in _find_and_load
  File "<frozen importlib._bootstrap>", line 965, in _find_and_load_unlocked
ModuleNotFoundError: No module named 'admin_honeypot'

Emails are not sent to superusers' respective email even though having smtp backend and stuffs

Hi, currently im working on https://github.com/philipn/django-block-ip

But i think, it's a good idea add this function in this library, what do you think about that?