#25163: When user does not have permission, /admin redirects to /admin/login but user is still authenticated -------------------------------+-------------------- Reporter: adelton | Owner: nobody Type: Bug | Status: new Component: contrib.admin | Version: master Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------+-------------------- Assume application which uses `django.contrib.auth.views.login` with some custom template to allow the users to log in. Even users that are not staff can therefore log in.
While authenticated with this non-staff user, access to `/admin` gets redirected to `/admin/login` which shows the `Django administration` logon form. So that page (and any access to `/admin`) behaves as if the user was not authenticated. No information clarifying that "while you are authenticated as `david`, you are unfortunately not authorized to access this page -- would you care to re-login?" What's more, the user stays authenticated, so when they edit the location in their browser to access some non-admin site, they are back as authenticated user. Maybe when the user is not authorized, it should be clearly spelled out on the admin login screen, giving the user a chance to logout and re-login? I was able to reproduce this behaviour without any remote user authentication set up, even if that is eventually the environment where I'd like the authentication to also work. Note: Not sure if this is more about `django.contrib.admin` or `django.contrib.auth`, filing under `contrib.admin` because there's where I can demonstrate it easily. -- Ticket URL: <https://code.djangoproject.com/ticket/25163> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/050.eed03d3085b6d936d380a7065acae578%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.