[Django] #22295: admin/base.html only shows #user-tools when user is staff
Django
-------------------------------------+-------------------------------------
Reporter: wouter@… | Owner: nobody
Type: | Status: new
Cleanup/optimization | Version: master
Component: contrib.admin | Keywords: user-tools admin base
Severity: Normal | template
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The build-in Django Admin ships with the admin/base.html template. This
template is, among other things, responsible for rendering the #user-tools
div that contains the 'log out' and 'change password' buttons. The user
tools are only rendered if user.is_active and user.is_staff are True, see:
https://github.com/django/django/blob/2bc51438664b5ffbbd1430b4f9f3307f18b2b9db/django/contrib/admin/templates/admin/base.html#L27
This check makes sure that #user-tools is only rendered when the user is
actually authenticated for use of the admin. This is required because the
login template (admin/login.html) eventually inherits from
admin/base.html. If the check would be omitted, the #user-tools would
become visible if the user was yet to be authenticated resulting in a
situation where the user could 'log out' without being 'logged in' first.
This check is therefore relevant, but is it the wrong check and breaks
inheritance in the following case:
Lets say you want to inherit from django.contrib.admin.sites.BaseSite to
create a customized admin for special users that are not necessarily staff
members. You can override the BaseSite.has_permission method. Currently
this method holds the condition: {{{ request.user.is_active and
request.user.is_staff }}}. You might change this to {{{
request.user.is_active and request.user.is_a_special_user_but_not_staff
}}}. This user would now be allowed to access this customised admin
without having access to the default admin.
The problem is that the user cannot log out from this special admin
because the #user-tools are only rendered if the user is a staff member.
I can think of two solutions:
1. Use the BaseAdmin.has_permission to do this check
2. Create a block called user-tools in the template and override this
block in the admin/login.html to be empty
In my opinion solution number 2 would be the best approach :-).
--
Ticket URL: <https://code.djangoproject.com/ticket/22295>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Reporter: wouter@… | Owner: nobody
Type: | Status: new
Cleanup/optimization | Version: master
Severity: Normal | Triage Stage:
Keywords: user-tools admin | Unreviewed
base template | Needs documentation: 0
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Changes (by aaugustin):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Comment:
Yes, option 2 sounds like a better approach if the goal is simply to hide
this block.
But what about people who extend this template and rely on the current
implementation to hide the block?
Even for small things, it's important to consider backwards compatibility.
--
Ticket URL: <https://code.djangoproject.com/ticket/22295#comment:1>
Django
-------------------------------------+-------------------------------------
Reporter: wouter@… | Owner: nobody
Type: | Status: new
Cleanup/optimization | Version: master
Severity: Normal | Triage Stage: Accepted
Keywords: user-tools admin | Needs documentation: 0
base template | Patch needs improvement: 0
Has patch: 0 | UI/UX: 0
Needs tests: 0 |
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Changes (by timo):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/22295#comment:2>
Django
-------------------------------------+-------------------------------------
Type: | Status: assigned
Cleanup/optimization | Version: master
Component: contrib.admin | Resolution:
Severity: Normal | Triage Stage: Accepted
Keywords: user-tools admin | Needs documentation: 0
base template | Patch needs improvement: 0
Has patch: 0 | UI/UX: 0
Needs tests: 0 |
Easy pickings: 0 |
-------------------------------------+-------------------------------------
* status: new => assigned
* owner: nobody => maxocub
--
Ticket URL: <https://code.djangoproject.com/ticket/22295#comment:3>
Django
-------------------------------------+-------------------------------------
Type: | Status: assigned
Cleanup/optimization | Version: master
Component: contrib.admin | Resolution:
Severity: Normal | Triage Stage: Accepted
Keywords: user-tools admin | Needs documentation: 0
base template | Patch needs improvement: 0
Needs tests: 0 |
Easy pickings: 0 |
-------------------------------------+-------------------------------------
* has_patch: 0 => 1
Comment:
Here's my [https://github.com/django/django/pull/2725 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/22295#comment:4>
Django
-------------------------------------+-------------------------------------
Type: | Status: assigned
Cleanup/optimization | Version: master
Component: contrib.admin | Resolution:
Severity: Normal | Triage Stage: Accepted
Keywords: user-tools admin | Needs documentation: 0
Has patch: 1 | UI/UX: 0
Needs tests: 0 |
Easy pickings: 0 |
-------------------------------------+-------------------------------------
* needs_better_patch: 0 => 1
Comment:
I left comments for improvement on PR. Please uncheck "Patch needs
improvement" when you update it, thanks.
--
Ticket URL: <https://code.djangoproject.com/ticket/22295#comment:5>
Django
-------------------------------------+-------------------------------------
Reporter: wouter@… | Owner:
Cleanup/optimization | Version: master
Severity: Normal | Triage Stage: Accepted
Keywords: user-tools admin | Needs documentation: 0
base template | Patch needs improvement: 1
Has patch: 1 | UI/UX: 0
Needs tests: 0 |
Easy pickings: 0 |
-------------------------------------+-------------------------------------
* owner: maxocub =>
* status: assigned => new
--
Ticket URL: <https://code.djangoproject.com/ticket/22295#comment:6>
Django
-------------------------------------+-------------------------------------
Reporter: wouter@… | Owner:
Cleanup/optimization |
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: user-tools admin | Triage Stage: Accepted
base template |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by tanner):
I have updated my PR https://github.com/django/django/pull/3762 to include
the requested improvements and also implemented solution 2.
--
Ticket URL: <https://code.djangoproject.com/ticket/22295#comment:7>
Django
-------------------------------------+-------------------------------------
Reporter: wouter@… | Owner:
Cleanup/optimization |
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: user-tools admin | Triage Stage: Accepted
base template |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
-------------------------------------+-------------------------------------
* cc: tanner (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/22295#comment:8>
Django
-------------------------------------+-------------------------------------
Reporter: wouter@… | Owner:
Cleanup/optimization |
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: user-tools admin | Triage Stage: Accepted
base template |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
-------------------------------------+-------------------------------------
Comment (by timgraham):
Please uncheck "Patch needs improvement" when you update your pull request
so the ticket appears in the review queue.
--
Ticket URL: <https://code.djangoproject.com/ticket/22295#comment:9>
Django
-------------------------------------+-------------------------------------
Reporter: wouter@… | Owner:
Cleanup/optimization |
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: user-tools admin | Triage Stage: Accepted
base template |
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/22295#comment:10>
Django
-------------------------------------+-------------------------------------
Reporter: wouter@… | Owner:
Cleanup/optimization |
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: user-tools admin | Triage Stage: Accepted
base template |
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Tim Graham <timograham@…>):
In [changeset:"c5fb34c47ef43fbd54e11fa6e72de326f5453f98"]:
{{{
#!CommitTicketReference repository=""
revision="c5fb34c47ef43fbd54e11fa6e72de326f5453f98"
Documented AdminSite.has_permission(); refs #22295.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/22295#comment:11>
Django
-------------------------------------+-------------------------------------
Reporter: wouter@… | Owner:
Cleanup/optimization |
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
base template | checkin
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/22295#comment:12>
Django
-------------------------------------+-------------------------------------
Type: | Graham <timograham@…>
Cleanup/optimization | Status: closed
Component: contrib.admin | Version: master
Severity: Normal | Resolution: fixed
Keywords: user-tools admin | Triage Stage: Ready for
base template | checkin
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: => Tim Graham <timograham@…>
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"46068d850d8debd3611ed6499d48b9907bf07ef6"]:
{{{
#!CommitTicketReference repository=""
revision="46068d850d8debd3611ed6499d48b9907bf07ef6"
Fixed #22295 -- Replaced permission check for displaying admin user-tools
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/22295#comment:13>