[Django] #36576: /admin/logout/ requires being having admin access
3 views
Skip to first unread message
Django
Aug 26, 2025, 9:23:45 PM8/26/25
to django-...@googlegroups.com
#36576: /admin/logout/ requires being having admin access
--------------------------+-----------------------------------------
Reporter: adehnert | Type: Uncategorized
Status: new | Component: contrib.auth
Version: 5.1 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------+-----------------------------------------
If I visit /admin/logout/ while logged in as a user that doesn't have
admin/staff access, I'm redirected to /admin/ and then to /admin/login/,
*without* being logged out of my existing user. This feels like a bug, for
several reasons:
* If I don't have permission to access `/admin/logout/` for some reason,
shouldn't I get told that, not just redirected to a login screen and left
to guess?
* The
[https://github.com/django/django/blob/c594574175e379fff356e274893d797f6e6a95fa/django/contrib/admin/sites.py#L391
docstring for logout()] says "This should *not* assume the user is already
logged in.", which isn't quite the same as "should log you out regardless
of what user you are" but sorta hints in that direction to me
* The [https://docs.djangoproject.com/en/5.2/releases/4.1/#log-out-via-get
release notes for 4.1] suggest using `admin:logout` to log out, without
any caveats about "all your users need to be staff" (my instinct is the
recommendation should be `logout` not `admin:logout` regardless -- #36575
-- but it still suggests that this behavior is unexpected).
I looked briefly and didn't understand *how* /admin/logout/ requires admin
access; I'm mildly suspicious of the
[https://github.com/django/django/commit/c7fc9f20b49b5889a9a8f47de45165ac443c1a21
#diff-0b9b76020bca57d146eddea5c47e1e6a99744ce287a365e18a0d7685dd268f18R408
@login_not_required decorator on `login`] but I don't know if that's
actually relevant.
--
Ticket URL: <https://code.djangoproject.com/ticket/36576>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--------------------------+-----------------------------------------
Reporter: adehnert | Type: Uncategorized
Status: new | Component: contrib.auth
Version: 5.1 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------+-----------------------------------------
If I visit /admin/logout/ while logged in as a user that doesn't have
admin/staff access, I'm redirected to /admin/ and then to /admin/login/,
*without* being logged out of my existing user. This feels like a bug, for
several reasons:
* If I don't have permission to access `/admin/logout/` for some reason,
shouldn't I get told that, not just redirected to a login screen and left
to guess?
* The
[https://github.com/django/django/blob/c594574175e379fff356e274893d797f6e6a95fa/django/contrib/admin/sites.py#L391
docstring for logout()] says "This should *not* assume the user is already
logged in.", which isn't quite the same as "should log you out regardless
of what user you are" but sorta hints in that direction to me
* The [https://docs.djangoproject.com/en/5.2/releases/4.1/#log-out-via-get
release notes for 4.1] suggest using `admin:logout` to log out, without
any caveats about "all your users need to be staff" (my instinct is the
recommendation should be `logout` not `admin:logout` regardless -- #36575
-- but it still suggests that this behavior is unexpected).
I looked briefly and didn't understand *how* /admin/logout/ requires admin
access; I'm mildly suspicious of the
[https://github.com/django/django/commit/c7fc9f20b49b5889a9a8f47de45165ac443c1a21
#diff-0b9b76020bca57d146eddea5c47e1e6a99744ce287a365e18a0d7685dd268f18R408
@login_not_required decorator on `login`] but I don't know if that's
actually relevant.
--
Ticket URL: <https://code.djangoproject.com/ticket/36576>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Reply all
Reply to author
Forward
0 new messages