Notification bar

The template used for the notification bar is named "hijack/notifications.html", or "hijack/notifications_bootstrap.html" if Bootstrap is enabled.


If your project uses Bootstrap, you may want to set HIJACK_USE_BOOTSTRAP = True in your project settings. Django Hijack will use a Bootstrap notification bar that does not overlap with the default navbar.

Disabling the notification bar

You can temporarily disable the notification bar by setting HIJACK_DISPLAY_WARNING = False.


By default, only superusers are allowed to hijack other users. Django Hijack gives you a variety of options to extend the group of authorized users.

Staff members

Set HIJACK_AUTHORIZE_STAFF = True in your project settings to authorize staff members to hijack non-staff users. If you want staff to be able to hijack other staff as well, enable HIJACK_AUTHORIZE_STAFF_TO_HIJACK_STAFF.

Note that there is no option to authorize staff members to hijack superusers as this would undermine the distinction between staff users and superusers.

Custom authorization function

Advanced Django developers might want to define their own check whether a user may hijack another user. This can be achieved by setting HIJACK_AUTHORIZATION_CHECK to the dotted path of a function which accepts two User objects – hijacker and hijacked – and returns a Boolean value. Example:

HIJACK_AUTHORIZATION_CHECK = 'mysite.utils.my_authorization_check'
def my_authorization_check(hijacker, hijacked):
    Checks if a user is authorized to hijack another user
    if my_condition:
        return True
        return False

Warning: The setting HIJACK_AUTHORIZATION_CHECK overrides the other hijack authorization settings. Defining a custom authorization function can have dangerous effects on your application's authorization system. Potentially, it might allow any user to impersonate any other user and to take advantage of all their permissions.

Custom view decorator

Django Hijack's views are decorated by Django's staff_member_required decorator. If you have written your own authorization function, or haven't installed django.contrib.admin, you may want to override this behaviour by setting HIJACK_DECORATOR to the dotted path of a custom decorator. Example:

HIJACK_DECORATOR = 'mysite.decorators.mydecorator'

Remote users

To work with REMOTE_USER, place 'hijack.middleware.HijackRemoteUserMiddleware' between 'django.contrib.auth.middleware.AuthenticationMiddleware' and 'django.contrib.auth.middleware.RemoteUserMiddleware':


Custom user models

Django Hijack supports custom user models. Just modify your custom UserAdmin class as shown in this example:

# mysite/
from hijack.admin import HijackUserAdminMixin

class MyCustomUserAdmin(UserAdmin, HijackUserAdminMixin):
    list_display = (
        'hijack_field',  # Hijack button

In addition, you should explicitly set HIJACK_DISPLAY_ADMIN_BUTTON = False in your project settings.

Settings overview


Hide or display the "Hijack" buttons in the admin backend. Default: True.


Path to template for the "Hijack" buttons in the admin backend. Default: 'hijack/admin_button.html'


Hide or display the yellow notificiation bar show to hijackers. Default: True.


Whether a Bootstrap-optimized notification bar is used. Default: False.


User attributes by which a user can be hijacked over a URL. Default: ('user_id', 'email', 'username'). May be changed to a subset of the default value.


Whether staff members are allowed to hijack. Default: False.


Whether staff members are allowed to hijack other staff members. Default: False. May not be True if HIJACK_AUTHORIZE_STAFF is disabled.


URL a hijacker is redirected to when starting a hijack. Default: settings.LOGIN_REDIRECT_URL.


URL a hijacker is redirected to when ending a hijack. Default: settings.LOGIN_REDIRECT_URL.


Dotted path of a function checking whether hijacker is allowed to hijack hijacked. Default: 'hijack.helpers.is_authorized_default'.


Dotted path of the decorator applied to the hijack views. Default: 'django.contrib.admin.views.decorators.staff_member_required'.