id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 14434,AdminSite should rely on self.has_permission for all permission checks,Brandon Konkle,nobody,"At the end of the ''login'' method on {{{ django.contrib.admin.sites.AdminSite }}}, if the user data is correct the method checks for ''user.is_active'' and ''user.is_staff'' and then logs the user in. The ''admin_view'' method calls the ''has_permission'' method, which also checks for ''user.is_active'' and ''user.is_staff'' by default. Putting this into a separate method provides an extension point, however, to customize the permissions checked. The fact that the ''login'' method doesn't check ''has_permission'' but checks ''is_active'' and ''is_staff'' explicitly is redundant and breaks the customization if a developer wants to create a separate, limited admin site where user.is_staff isn't a requirement. A use case would be in multi-tenancy situations, where users with a special permission may be able to access a site-specific admin site where they can only access data for their site. ",Bug,closed,contrib.admin,1.2,Normal,duplicate,admin views,Alexander Koshelev,Accepted,1,0,1,1,0,0