What began as a minimalist internal module has become a popular open-source Django app. In 2016, Django Hijack has more than 420 stars on Github and is used in production by many community members.
Today we are releasing a new backwards-incompatible version to separate the Django admin site integration from the core module. We have created a new add-on for everyone who uses the classic admin interface or wishes to do so in the future. Please have a look at the installation instructions.
In addition, we have changed the Django Hijack endpoints to only accept POST requests. If you have implemented your own buttons or links to use GET requests, you may need to make some changes in your code before upgrading. We have included a code example in the docs to show you how you can leverage the Django Hijack functionality with custom buttons.
If all this seems too complicated for now, you can still opt-in on allowing GET requests.
For the full release notes, see https://github.com/arteria/django-hijack/releases/tag/v2.1.0.
We have discussed at length whether we should make POST requests a requirement. The main rationale behind the change is that impersonating other users is a potentially security-relevant action – even if privilege escalation can be ruled out – and that it is always better to use Django's CSRF protection than not to. Also, moving the Django admin integration to a separate module allows us to open development up for a broader array of use cases.