Skip to content

Support ALLOW_SUPPORT_LOGIN in Docker #7398

New issue
New issue
Open
Feature
#7399
Open
Support ALLOW_SUPPORT_LOGIN in Docker#7398
Feature
#7399
Assignees
melton-jason
Labels
type:metaThe Issue is related to platform engineering, deployment, CI/CD, GitOps, or other DevOps aspects
Milestone
7.12.0
@grantfitzsimmons

Description

@grantfitzsimmons
grantfitzsimmons
opened on Sep 9, 2025

Is your feature request related to a problem? Please describe.
IT support and admins sometimes need to impersonate users to troubleshoot, provide support, or conduct training. Enabling it in managed deployments and development environments would allow administrators to use it securely within the Specify 7 docker container.

Describe the solution you'd like
Allow enabling the ALLOW_SUPPORT_LOGIN environment variable in the Dockerfile and configuration so admins can generate support login tokens. This should be set to True in specify_settings.py or in the docker-compose.yml file for managed deployments.

https://discourse.specifysoftware.org/t/allow-support-login-documentation/2838/1

Example configuration location:

specify7/specifyweb/settings/specify_settings.py

Lines 99 to 100 in 2148663

ALLOW_SUPPORT_LOGIN = False
SUPPORT_LOGIN_TTL = 300

Usage steps:

  1. Enter the running Specify 7 container: 
    docker exec -it specify7 /bin/bash
  2. Run the support login command: 
    ve/bin/python manage.py support_login --username ${username}
    Replace ${username} with the desired account.
  3. The generated token is valid for a time set by the SUPPORT_LOGIN_TTL environment variable (e.g., 300 seconds).
    Example output: 
    The following token is valid for 300 seconds:
/accounts/support_login/?token=1-1757106120-7394fa7d5ffc6f87fe8306d25c5b2c71b3f98942d9f9c46aea97f3eda725434b
  4. Navigate to base_url + /accounts/support_login/?token=... to access the user's account.

Describe alternatives you've considered

  • Temporarily resetting passwords and restoring the previous hash, which is time consuming and risky.
  • Keeping support login disabled for all but development environments, requiring direct user intervention for troubleshooting.
  • Relying on less secure or more manual methods for impersonation.

Additional context

Caution

This feature should be considered a security risk if exposed outside the container or to non-admin users. Only administrators with shell access to the container can use it, and it should be enabled only when necessary for support.
The token is time-limited and usage is logged.

Metadata

Metadata

Assignees

Labels

type:metaThe Issue is related to platform engineering, deployment, CI/CD, GitOps, or other DevOps aspects

Type

Feature

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions