Code

Opened 7 years ago

Last modified 14 months ago

#6363 new Bug

Bug with has_permission method of AdminSite class.

Reported by: michelts Owned by: nobody
Component: contrib.admin Version: newforms-admin
Severity: Normal Keywords: nfa-someday
Cc: net147 Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I found a bug when using the has_permission method of the AdminSite class to filter which users can access the admin page:

class SuperuserAdminSite(admin.AdminSite):
    def has_permission(self, request):
        return super(SuperuserAdminSite, self).has_permission(request) and request.user.is_superuser
admin_site = SuperuserAdminSite()

When I try to log on a user that is not a superuser, it already get the login but stay on the login page (with the header but no application loaded), I think this is a bug :) The user should get a error message as if it passed a wrong password or such, isn´t it?

Attachments (3)

weirdness.png (8.7 KB) - added by Karen Tracey <kmtracey@…> 6 years ago.
6363.diff (2.7 KB) - added by Karen Tracey <kmtracey@…> 6 years ago.
6363-1.diff (2.7 KB) - added by Karen Tracey <kmtracey@…> 6 years ago.
Fixed patch -- like I said this logic is more convoluted than I like

Download all attachments as: .zip

Change History (13)

comment:1 Changed 6 years ago by telenieko

  • Component changed from Uncategorized to Admin interface
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Version changed from SVN to newforms-admin

I assume this has to do with newforms-admin branch?
The ticket is 5 months old, could you please check if it's still valid?

comment:2 Changed 6 years ago by Karen Tracey <kmtracey@…>

  • Has patch set
  • Keywords nfa-someday added
  • Triage Stage changed from Unreviewed to Accepted

I think I see the problem. If you try to create a SuperuserAdminSite that only superusers are allowed to login to, as shown by the supplied code, then when you navigate to that site and present login information for a staff (but not superuser) user and press the "Log In" button, the login page is redisplayed without any error messages, plus the user-tools links div overlays the login form (I'll attach an image).

Problem is the base AdminSite during login assumes that any user that is_staff can access the admin site. I've created a patch that fixes this. Logic is a little more convoluted than I'd like because the has_permission method takes a request object and the user logging in is only associated with the request object after login() is called, so in the case where the user is a staff member but doesn't pass the site's has_permission test you have to call login to get the user attached to the request, then has_permission to check for permissions, then logout to detach the insufficiently qualified user from the request and replace them with the AnonymousUser again.

Accepting based on the assumption that this is something one should be able to do in newforms-admin? Feel free to correct me if I'm wrong on that though. Tagging nfa-someday since I don't see it as super high-priority.

Changed 6 years ago by Karen Tracey <kmtracey@…>

Changed 6 years ago by Karen Tracey <kmtracey@…>

Changed 6 years ago by Karen Tracey <kmtracey@…>

Fixed patch -- like I said this logic is more convoluted than I like

comment:3 Changed 4 years ago by ramiro

  • Needs tests set

comment:4 Changed 3 years ago by net147

  • Cc net147 added

comment:5 Changed 3 years ago by julien

  • Severity set to Normal
  • Type set to Bug

comment:6 Changed 2 years ago by aaugustin

  • UI/UX unset

Change UI/UX from NULL to False.

comment:7 Changed 2 years ago by aaugustin

  • Easy pickings unset

Change Easy pickings from NULL to False.

comment:8 Changed 2 years ago by dgouldin

Just verified that this does still happen on current trunk, though the patch is of course very outdated at this point.

comment:9 Changed 2 years ago by dgouldin

It looks like the 2 problem spots now are:

https://github.com/django/django/blob/master/django/contrib/admin/views/decorators.py#L14

and

https://github.com/django/django/blob/master/django/contrib/admin/forms.py#L41

Both of these should be modified to use AdminSite.has_permission. *How* that's to be done, I don't yet have any idea. ;-)

comment:10 Changed 14 months ago by timo

Found a patch, looks like it needs tests:

https://github.com/django/django/pull/925

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as new
The owner will be changed from nobody to anonymous. Next status will be 'assigned'
as The resolution will be set. Next status will be 'closed'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.