id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
34022	admin:logout fails to log out non-staff users	Jan Pazdziora	nobody	"The Django 4.1 release notes at https://docs.djangoproject.com/en/4.1/releases/4.1/ show that the expected way to log out users is using **admin:logout**:

{{{
<form id=""logout-form"" method=""post"" action=""{% url 'admin:logout' %}"">
  {% csrf_token %}
  <button type=""submit"">{% translate ""Log out"" %}</button>
</form>
}}}

However, when the logged-in user does not have the is_staff attribute because it used a custom non-admin login, using such approach leads to a redirect back to /admin/ and /admin/login/?next=/admin/ and message

    You are authenticated as bob, but are not authorized to access this page.
    Would you like to login to a different account?

Since the user tries to log out, meaning strip themselves of any permissions, the authorization check that is currently in place for logout is likely wrong.

The behaviour change happened in https://github.com/django/django/commit/1f84630c87f8032b0167e6db41acaf50ab710879. The original code did
{{{
        # The 'logout' view doesn't require that the person is logged in.
        if url == 'logout':
            return self.logout(request)

        # Check permission to continue or display login form.
        if not self.has_permission(request):
            return self.login(request)
}}}
which the new code changed to
{{{
            url(r'^logout/$',
                wrap(self.logout),
                name='%sadmin_logout'),
}}}
with that {{{wrap()}}} around {{{self.logout}}}. So that refactoring change also changed the semantics of the logout behaviour"	New feature	closed	contrib.admin	4.1	Normal	wontfix			Unreviewed	0	0	0	0	0	0