From 449db51aff9388045c602f575a829843d2218a0d Mon Sep 17 00:00:00 2001
From: Andrew Berry <andrew@furrypaws.ca>
Date: Mon, 4 Mar 2024 08:01:30 -0500
Subject: [PATCH] =?UTF-8?q?Document=20that=20/admin/login=20isn=E2=80=99t?=
 =?UTF-8?q?=20blocked=20when=20disabling=20direct=20logins?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I understand from https://github.com/paperless-ngx/paperless-ngx/pull/5816 that this can’t or won’t be implemented in Paperless itself. That’s fine, but I think we should document this and offer an example of how someone could block it at a different layer in the stack.
---
 docs/advanced_usage.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/docs/advanced_usage.md b/docs/advanced_usage.md
index d4ff80f87..0c38fc812 100644
--- a/docs/advanced_usage.md
+++ b/docs/advanced_usage.md
@@ -695,4 +695,10 @@ More details about configuration option for various providers can be found in th
 
 ### Disabling Regular Login
 
-Once external auth is set up, 'regular' login can be disabled with the [PAPERLESS_DISABLE_REGULAR_LOGIN](configuration.md#PAPERLESS_DISABLE_REGULAR_LOGIN) setting.
+Once external auth is set up, 'regular' login can be disabled with the [PAPERLESS_DISABLE_REGULAR_LOGIN](configuration.md#PAPERLESS_DISABLE_REGULAR_LOGIN) setting. This setting will not black access to the built-in Django login form at `/admin/login`. To block access to that page, consider blocking it in your web server configuration. For example, with Nginx, try:
+
+```
+location /admin/login {
+  return 403;
+}
+```