id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 21067 is_staff shouldn't be checked in admin templates German Larrain nobody "In all the templates under django.contrib.admin, the only place where `user.is_staff` is used is `base.html` {{{ /django/django/contrib/admin/templates$ grep -r is_staff admin/base.html: {% if user.is_active and user.is_staff %} }}} https://github.com/django/django/blob/master/django/contrib/admin/templates/admin/base.html#L27 This block wraps {{{
{% trans 'Welcome,' %} {% firstof user.get_short_name user.get_username %}. {% block userlinks %} {% url 'django-admindocs-docroot' as docsroot %} {% if docsroot %} {% trans 'Documentation' %} / {% endif %} {% if user.has_usable_password %} {% trans 'Change password' %} / {% endif %} {% trans 'Log out' %} {% endblock %}
}}} It's my impression that the condition `user.is_staff` should be removed from the ""if"" clause. There is already Python code in charge of checking user has proper permissions like `admin.views.decorators.staff_member_required` and `admin.sites.AdminSite.has_permission`, so the mentioned condition is redundant. I happened to discover this when building a custom admin site that doesn't require the user to be staff. The current admin implementation prevents an ""elegant"" customization/extension and forces the developer to replace the template entirely. If not, the user could still log in and use the admin site but wouldn't see the links to change password and log out, because they are wrapped by the aforementioned ""if"" clause. PS: have mercy on me, it's my first patch and ""real"" bug report :)" Cleanup/optimization closed contrib.admin dev Normal invalid admin Ready for checkin 1 0 0 0 0 0