Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#26035 closed Bug (fixed)

usertools block in admin console visible after logout

Reported by: Scott Pashley Owned by: Scott Pashley
Component: contrib.admin Version: 1.8
Severity: Release blocker Keywords: admin, logout, ui
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: yes

Description

When a user logs out of the admin interface, they get directed to a page (/admin/logout/) which acknowledges that the user is logged out of the system.

In the top right hand corner of the screen, the welcome string is still visible (without the username), as are the "view site" and "log out" links. This block should no longer be visible as the user is now logged out at this point.

This is happening because the block is visible as long as has_permission returns True.

I suggest that we also check that the user is authenticated using user.is_authenticated in addition to the current check.

Change History (7)

comment:1 Changed 4 years ago by Tim Graham

Severity: NormalRelease blocker
Triage Stage: UnreviewedAccepted
Version: master1.8

Seems to be a regression in 46068d850d8debd3611ed6499d48b9907bf07ef6, however, the suggested fix doesn't work (unless I got misinterpreted what you meant).

  • django/contrib/admin/sites.py

    diff --git a/django/contrib/admin/sites.py b/django/contrib/admin/sites.py
    index af40880..2dc0d99 100644
    a b class AdminSite(object): 
    159159        Returns True if the given HttpRequest has permission to view
    160160        *at least one* page in the admin site.
    161161        """
    162         return request.user.is_active and request.user.is_staff
     162        return request.user.is_authenticated() and request.user.is_active and request.user.is_staff
    163163
    164164    def check_dependencies(self):
    165165        """

comment:2 in reply to:  1 Changed 4 years ago by Scott Pashley

Replying to timgraham:

Seems to be a regression in 46068d850d8debd3611ed6499d48b9907bf07ef6, however, the suggested fix doesn't work (unless I got misinterpreted what you meant).

  • django/contrib/admin/sites.py

    diff --git a/django/contrib/admin/sites.py b/django/contrib/admin/sites.py
    index af40880..2dc0d99 100644
    a b class AdminSite(object): 
    159159        Returns True if the given HttpRequest has permission to view
    160160        *at least one* page in the admin site.
    161161        """
    162         return request.user.is_active and request.user.is_staff
     162        return request.user.is_authenticated() and request.user.is_active and request.user.is_staff
    163163
    164164    def check_dependencies(self):
    165165        """

Apologies, it would be in the html template :

  • django/contrib/admin/templates/admin/base.html

    diff --git a/django/contrib/admin/templates/admin/base.html b/django/contrib/admin/templates/admin/base.html
    index 70e137c..47e4cad 100644
    a b  
    2424        {% block branding %}{% endblock %}
    2525        </div>
    2626        {% block usertools %}
    27         {% if has_permission %}
     27        {% if has_permission and user.is_authenticated %}
    2828        <div id="user-tools">
    2929            {% block welcome-msg %}
    3030                {% trans 'Welcome,' %}

Scott

comment:3 Changed 4 years ago by Tim Graham

Seems okay. Will you send a pull request with a test (can probably find an existing one and just add an assertion)? Thanks!

comment:4 Changed 4 years ago by Tim Graham

PR (needs a test and mention in the 1.9.2 and 1.8.9 release notes)

comment:5 Changed 4 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In 7cc2efc2:

Fixed #26035 -- Prevented user-tools from appearing on admin logout page.

comment:6 Changed 4 years ago by Tim Graham <timograham@…>

In 7688089:

[1.8.x] Fixed #26035 -- Prevented user-tools from appearing on admin logout page.

Backport of 7cc2efc2d6916c05a0a5cb0c0e67f5405d8f6a03 from master

comment:7 Changed 4 years ago by Tim Graham <timograham@…>

In a7b69c86:

[1.9.x] Fixed #26035 -- Prevented user-tools from appearing on admin logout page.

Backport of 7cc2efc2d6916c05a0a5cb0c0e67f5405d8f6a03 from master

Note: See TracTickets for help on using tickets.
Back to Top