Re: [Django] #14434: AdminSite should check self.has_permission in self.login

[Django]

#14434: AdminSite should check self.has_permission in self.login
-+---
   Reporter:  bkonkle|  Owner:  nobody
   Type:  Uncategorized  | Status:  reopened
  Milestone: |  Component:  contrib.admin
Version:  1.2|   Severity:  Normal
 Resolution: |   Keywords:  admin views
   Triage Stage:  Accepted   |  Has patch:  1
Needs documentation:  0  |Needs tests:  0
Patch needs improvement:  0  |  Easy pickings:  0
  UI/UX:  0  |
-+---
Changes (by danny.adair@…):

 * status:  closed => reopened
 * severity:   => Normal
 * type:   => Uncategorized
 * easy:   => 0
 * ui_ux:   => 0
 * resolution:  fixed =>


Comment:

 I don't believe this has been fully resolved.
 Even when AdminSite.has_permission() is overridden, it won't lead to the
 expected effect:

 
https://code.djangoproject.com/browser/django/trunk/django/contrib/admin/forms.py#L40
 and
 
https://code.djangoproject.com/browser/django/trunk/django/contrib/admin/templates/admin/base.html#L26

 still do explicit "is_staff" checks.

 See also
 http://stackoverflow.com/questions/4022551/how-to-make-django-admin-site-
 accessed-by-non-staff-user/5573686#5573686

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #14434: AdminSite should check self.has_permission in self.login

[Django]

#14434: AdminSite should check self.has_permission in self.login
-+-
   Reporter:  bkonkle|Owner:  nobody
 Status:  closed |Milestone:
  Component: |  Version:  1.2
  django.contrib.admin   | Keywords:  admin views
 Resolution:  fixed  |Has patch:  1
   Triage Stage:  Accepted   |  Needs tests:  0
Needs documentation:  0  |
Patch needs improvement:  0  |
-+-
Changes (by julien):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 This has been fixed as a side effect of [14769].

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #14434: AdminSite should check self.has_permission in self.login

[Django]

#14434: AdminSite should check self.has_permission in self.login
+---
   Reporter:  bkonkle   | Owner:  nobody 
 Status:  new   | Milestone: 
  Component:  django.contrib.admin  |   Version:  1.2
 Resolution:|  Keywords:  admin views
   Triage Stage:  Accepted  | Has patch:  1  
Needs documentation:  0 |   Needs tests:  0  
Patch needs improvement:  0 |  
+---
Changes (by julien):

  * component:  Contrib apps => django.contrib.admin


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #14434: AdminSite should check self.has_permission in self.login

[Django]

#14434: AdminSite should check self.has_permission in self.login
---+
  Reporter:  bkonkle   | Owner:  nobody 
Status:  new   | Milestone: 
 Component:  Contrib apps  |   Version:  1.2
Resolution:|  Keywords:  admin views
 Stage:  Accepted  | Has_patch:  1  
Needs_docs:  0 |   Needs_tests:  0  
Needs_better_patch:  0 |  
---+
Changes (by ramiro):

  * stage:  Unreviewed => Accepted

Comment:

 This the one of the issues that had been reported in #8049, unfortunately
 the solution implemented when fixing it wasn't to centralize the logic but
 rather to duplicate the ''if'' checks.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #14434: AdminSite should check self.has_permission in self.login

[Django]

#14434: AdminSite should check self.has_permission in self.login
---+
  Reporter:  bkonkle   | Owner:  nobody 
Status:  new   | Milestone: 
 Component:  Contrib apps  |   Version:  1.2
Resolution:|  Keywords:  admin views
 Stage:  Unreviewed| Has_patch:  1  
Needs_docs:  0 |   Needs_tests:  0  
Needs_better_patch:  0 |  
---+
Changes (by alexkoshelev):

 * cc: alexkoshelev (added)
  * needs_better_patch:  => 0
  * needs_tests:  => 0
  * needs_docs:  => 0

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

[Django] #14434: AdminSite should check self.has_permission in self.login

[Django]

#14434: AdminSite should check self.has_permission in self.login
--+-
 Reporter:  bkonkle   |   Owner:  nobody
   Status:  new   |   Milestone:
Component:  Contrib apps  | Version:  1.2   
 Keywords:  admin views   |   Stage:  Unreviewed
Has_patch:  1 |  
--+-
 At the end of the ''login'' method on {{{
 django.contrib.admin.sites.AdminSite }}}, if the user data is correct the
 method checks for ''user.is_active'' and ''user.is_staff'' and then logs
 the user in.  The ''admin_view'' method calls the ''has_permission''
 method, which also checks for ''user.is_active'' and ''user.is_staff'' by
 default.  Putting this into a separate method provides an extension point,
 however, to customize the permissions checked.

 The fact that the ''login'' method doesn't check ''has_permission'' but
 checks ''is_active'' and ''is_staff'' explicitly is redundant and breaks
 the customization if a developer wants to create a separate, limited admin
 site where user.is_staff isn't a requirement.  A use case would be in
 multi-tenancy situations, where users with a special permission may be
 able to access a site-specific admin site where they can only access data
 for their site.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.