#22295: admin/base.html only shows #user-tools when user is staff -------------------------------------+------------------------------------- Reporter: wouter@… | Owner: nobody Type: | Status: new Cleanup/optimization | Version: master Component: contrib.admin | Keywords: user-tools admin base Severity: Normal | template Triage Stage: Unreviewed | Has patch: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------------+------------------------------------- The build-in Django Admin ships with the admin/base.html template. This template is, among other things, responsible for rendering the #user-tools div that contains the 'log out' and 'change password' buttons. The user tools are only rendered if user.is_active and user.is_staff are True, see: https://github.com/django/django/blob/2bc51438664b5ffbbd1430b4f9f3307f18b2b9db/django/contrib/admin/templates/admin/base.html#L27
This check makes sure that #user-tools is only rendered when the user is actually authenticated for use of the admin. This is required because the login template (admin/login.html) eventually inherits from admin/base.html. If the check would be omitted, the #user-tools would become visible if the user was yet to be authenticated resulting in a situation where the user could 'log out' without being 'logged in' first. This check is therefore relevant, but is it the wrong check and breaks inheritance in the following case: Lets say you want to inherit from django.contrib.admin.sites.BaseSite to create a customized admin for special users that are not necessarily staff members. You can override the BaseSite.has_permission method. Currently this method holds the condition: {{{ request.user.is_active and request.user.is_staff }}}. You might change this to {{{ request.user.is_active and request.user.is_a_special_user_but_not_staff }}}. This user would now be allowed to access this customised admin without having access to the default admin. The problem is that the user cannot log out from this special admin because the #user-tools are only rendered if the user is a staff member. I can think of two solutions: 1. Use the BaseAdmin.has_permission to do this check 2. Create a block called user-tools in the template and override this block in the admin/login.html to be empty In my opinion solution number 2 would be the best approach :-). -- Ticket URL: <https://code.djangoproject.com/ticket/22295> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/063.2708b299d88928c90950bdd4f553919e%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.