> For the complete documentation index, see [llms.txt](https://misago.gitbook.io/docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://misago.gitbook.io/docs/auth.md). # User authentication Misago adds additional layer of security around admin areas in your site. This means that unless you've signed to admin area directly, you have to authenticate yourself one more time to upgrade your session from "casual" one to "administrator". This mechanism was put in place because it's common for forum administrators to browse and use forums while signed on their administrator account. By default, Django requires user to be signed in and have special `is_staff` set on his or her account and know the path to administration backend to administrate site, which is good approach for situations when staff accounts are used exclusively for administration and not day to day usage. In addition for re-authentication requirement, Misago also monitors inactivity periods between requests to admin interfaces, and if one exceeds length specified in `MISAGO_ADMIN_SESSION_EXPIRATION` setting, it will assume that administrator has been inactive and request another reauthentication upon next request to admin backend. Implementation in this mechanism is placed within `misago.admin.auth` module and `misago.admin.middleware.AdminAuthMiddleware` middleware. Middleware uses methods from `auth` to detect if request is pointed at protected namespace, and if it is, it uses facilities to handle and control state of administrators session. ### `misago.admin.auth.is_admin_session(request)` Returns true if current request has valid administrator session. Otherwhise returns false. ### `misago.admin.auth.start_admin_session(request, user)` Promotes current session to state of administrator session. ### `misago.admin.auth.update_admin_session(request)` Updates last activity timestamp on admin session. ### `misago.admin.auth.close_admin_session(request)` Closes current admin session, degrading it to "casual" session and keeps user signed in. ## Testing Admin views using test client To test protected admin views from within your test cases, you have to open valid admin session for test client. Misago provides `misago.admin.testutils.admin_login` function for this purpose. ### `misago.admin.testutils.admin_login(client, username, password)` This function will make provided test client instance use valid admin session during test requests. Note that internally this function makes POST request to `misago:admin:index` link that should result with admin login form for unauthenticated users. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://misago.gitbook.io/docs/auth.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.