Add a hint to the admin login page when a user is redirected there due to lack of permissions
|Patch needs improvement:
Assume application which uses
django.contrib.auth.views.login with some custom template to allow the users to log in. Even users that are not staff can therefore log in.
While authenticated with this non-staff user, access to
/admin gets redirected to
/admin/login which shows the
Django administration logon form. So that page (and any access to
/admin) behaves as if the user was not authenticated. No information clarifying that "while you are authenticated as
david, you are unfortunately not authorized to access this page -- would you care to re-login?" What's more, the user stays authenticated, so when they edit the location in their browser to access some non-admin site, they are back as authenticated user.
Maybe when the user is not authorized, it should be clearly spelled out on the admin login screen, giving the user a chance to logout and re-login?
I was able to reproduce this behaviour without any remote user authentication set up, even if that is eventually the environment where I'd like the authentication to also work.
Note: Not sure if this is more about
django.contrib.auth, filing under
contrib.admin because there's where I can demonstrate it easily.
Change History (21)
follow-up: 6 comment:4 by , 9 years ago
|When user does not have permission, /admin redirects to /admin/login but user is still authenticated → When a user doesn't have permission to an admin page, raise 404 instead of redirecting to login
|Unreviewed → Accepted
|Bug → Cleanup/optimization
comment:19 by , 9 years ago
|When a user doesn't have permission to an admin page, raise 404 instead of redirecting to login → Add a hint to the admin login page when a user is redirected there due to lack of permissions