The login function has no security to protect people viewing a production site from manually POSTing to /users/login/1 if you don't entirely disable the plugin by having overridden or different settings between dev and prod (probably a good idea, but easy to overlook by assuming "if DjDT doesn't show up the panels are probably all disabled").

Example of this error:

• In settings.py DEBUG=False
• In chrome, inspect element on any page, manually add <form method="POST" action="/users/login/1"><input type="submit" /></form>
• Click submit and you should be logged in as user 1

Solution:
Easiest is to add from django.conf import settings to the top and if not settings.DEBUG: return HttpResponseBadRequest() right under line 42

Other somewhat unsafe ideas:

• Warn all users to only have it in INSTALLED APPS/urls.py on dev instances in the README
• Make it possible to be able to use it even if DEBUG=False when
  • user is superuser (can't switch back) or
  • user is in some list of users (can't switch back) or
  • IP in INTERNAL_IPS (spoofable if server mishandles x_forwarded_for and someone fakes a proxied request?)

It would be great to be able to exclude users who are members of a certain group from being able to be switched to. I realize that this tool is only meant for trusted users, but there are still a few usernames in my organization that should never be switched to. A blacklist using the django auth Group mechanism would work well I think.

With django_debug_toolbar 1.2.1 and Django 1.7 I get the following exception:

Traceback (most recent call last):
  File "./manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "/Users/erik/.virtualenvs/proj/lib/python2.7/site-packages/django/core/management/__init__.py", line 385, in execute_from_command_line
    utility.execute()
  File "/Users/erik/.virtualenvs/proj/lib/python2.7/site-packages/django/core/management/__init__.py", line 354, in execute
    django.setup()
  File "/Users/erik/.virtualenvs/proj/lib/python2.7/site-packages/django/__init__.py", line 21, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/Users/erik/.virtualenvs/proj/lib/python2.7/site-packages/django/apps/registry.py", line 108, in populate
    app_config.import_models(all_models)
  File "/Users/erik/.virtualenvs/proj/lib/python2.7/site-packages/django/apps/config.py", line 197, in import_models
    self.models_module = import_module(models_module_name)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/Users/erik/.virtualenvs/proj/src/django-debug-toolbar-user-panel/debug_toolbar_user_panel/models.py", line 1, in <module>
    import debug_toolbar.urls
ImportError: No module named urls

According to the debug toolbar changelog -- version 1.0 brought some changes that required tweaks from third party panels.

Hi,

Could you release this package on pypi? Or are there some things to be done first?

Thanks for the package btw :-)

Documentation at http://code.playfire.com/django-debug-toolbar-user-panel/ is missing a comma after the first entry in the DEBUG_TOOLBAR_PANELS tuple. That'll teach me for copypasta...

The templates directory is missing when installing via pip install https://github.com/playfire/django-debug-toolbar-user-panel/zipball/master. Probably needs an entry in setup.py.