id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
14434	AdminSite should rely on self.has_permission for all permission checks	Brandon Konkle	nobody	"At the end of the ''login'' method on {{{ django.contrib.admin.sites.AdminSite }}}, if the user data is correct the method checks for ''user.is_active'' and ''user.is_staff'' and then logs the user in.  The ''admin_view'' method calls the ''has_permission'' method, which also checks for ''user.is_active'' and ''user.is_staff'' by default.  Putting this into a separate method provides an extension point, however, to customize the permissions checked.

The fact that the ''login'' method doesn't check ''has_permission'' but checks ''is_active'' and ''is_staff'' explicitly is redundant and breaks the customization if a developer wants to create a separate, limited admin site where user.is_staff isn't a requirement.  A use case would be in multi-tenancy situations, where users with a special permission may be able to access a site-specific admin site where they can only access data for their site.
"	Bug	closed	contrib.admin	1.2	Normal	duplicate	admin views	Alexander Koshelev	Accepted	1	0	1	1	0	0