Issue #1 new

Two step only for admin

Marco Beri
created an issue

I chose to use the two step only for admin (TWOSTEPAUTH_FOR_ADMIN = True). But if the user does the login via the main site (without the two step auth) and after that he manually changes the URL to /admin, he can navigate the admin section without the second step auth. Am I wrong?

Comments (1)

  1. Nuno Maltez

    Yes, you are right. Thanks for pointing that out.

    You could serve the admin site exclusively through a different domain name that does not expose the common login urls, or that has both TWOSTEPAUTH_FOR_* settings set to True.

    The need for these two different settings (user/admin) should be reviewed and the docs updated.

  2. Log in to comment