Opened 6 years ago

Closed 5 years ago

#19830 closed Cleanup/optimization (duplicate)

staff_member_required decorator should use '' and not

Reported by: rene@… Owned by: nobody
Component: contrib.admin Version: master
Severity: Normal Keywords: staff_member_required authentication_form template_name
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


The staff_member_required decorator in django.contrib.admin.views checks if the user is logged in and is staff. If not it will display the admin login page instead of the decorated view.

If the user is not logged in and not staff, a 'defaults' dictionary is build with the following keys: 'template_name', 'authentication_form' and 'extra_context'.

The 'template_name' refers to the template to use for the login screen.
The 'authentication_form' refers to the form class to use to handle the login form.

The two values are now: 'admin/login.html' and 'AdminAuthenticationForm'. See the code block below:

defaults = {
            'template_name': 'admin/login.html',
            'authentication_form': AdminAuthenticationForm,
            'extra_context': {
                'title': _('Log in'),
                'app_path': request.get_full_path(),
                REDIRECT_FIELD_NAME: request.get_full_path(),

According to this documentation: a developer can provide it's own login-template and own login-form class to handle 'admin' logins.

Should the 'staff_member_required' decorator not refer to these two settings instead of the hard-coded values in the current implementation?
Like this:

defaults = {
            'template_name':  site.login_template or 'admin/login.html',
            'authentication_form': site.login_form or AdminAuthenticationForm,
            'extra_context': {
                'title': _('Log in'),
                'app_path': request.get_full_path(),
                REDIRECT_FIELD_NAME: request.get_full_path(),

These is a problem in the above codeblock. The 'site' variable does not exists. I am not sure how to get a reference to the 'admin' site object.

Change History (3)

comment:1 Changed 6 years ago by Claude Paroz

Triage Stage: UnreviewedAccepted
Version: 1.4master

I think that instead of login, the decorator should use the redirect_to_login view, unless I've missed something...

comment:2 Changed 6 years ago by anonymous

The biggest issue I see here is dealing with multiple admin sites.

comment:3 Changed 5 years ago by Claude Paroz

Resolution: duplicate
Status: newclosed

See ticket #21911, staff_member_required implementation changed to use user_passes_test (which itself uses redirect_to_login).

Note: See TracTickets for help on using tickets.
Back to Top