[Django] #25163: When user does not have permission, /admin redirects to /admin/login but user is still authenticated

Wed, 22 Jul 2015 12:32:34 -0700 

#25163: When user does not have permission, /admin redirects to /admin/login but
user is still authenticated
-------------------------------+--------------------
     Reporter:  adelton        |      Owner:  nobody
         Type:  Bug            |     Status:  new
    Component:  contrib.admin  |    Version:  master
     Severity:  Normal         |   Keywords:
 Triage Stage:  Unreviewed     |  Has patch:  0
Easy pickings:  0              |      UI/UX:  0
-------------------------------+--------------------
 Assume application which uses `django.contrib.auth.views.login` with some
 custom template to allow the users to log in. Even users that are not
 staff can therefore log in.

 While authenticated with this non-staff user, access to `/admin` gets
 redirected to `/admin/login` which shows the `Django administration` logon
 form. So that page (and any access to `/admin`) behaves as if the user was
 not authenticated. No information clarifying that "while you are
 authenticated as `david`, you are unfortunately not authorized to access
 this page -- would you care to re-login?" What's more, the user stays
 authenticated, so when they edit the location in their browser to access
 some non-admin site, they are back as authenticated user.

 Maybe when the user is not authorized, it should be clearly spelled out on
 the admin login screen, giving the user a chance to logout and re-login?

 I was able to reproduce this behaviour without any remote user
 authentication set up, even if that is eventually the environment where
 I'd like the authentication to also work.

 Note: Not sure if this is more about `django.contrib.admin` or
 `django.contrib.auth`, filing under `contrib.admin` because there's where
 I can demonstrate it easily.

--
Ticket URL: <https://code.djangoproject.com/ticket/25163>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/050.eed03d3085b6d936d380a7065acae578%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to