Re: [Django] #6363: Bug with has_permission method of AdminSite class.

[Django]

#6363: Bug with has_permission method of AdminSite class.
---+--
 Reporter:  michelts   |Owner:  nobody
 Type:  Bug|   Status:  new
Component:  contrib.admin  |  Version:  newforms-admin
 Severity:  Normal |   Resolution:
 Keywords:  nfa-someday| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  1  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by yakky):

 @claudep proposed solution ''almost'' works, but request in
 `confirm_login_allowed` still does not carry the **actual** user, but the
 pre-login one (which is likely `AnonymousUser`).
 A solution would be setting the user on request before passing to
 `AdminSite.has_permission` (eventually resetting it to the original after
 that).
 Does it sound good?

 {{{
 #!diff
 diff --git a/django/contrib/admin/forms.py b/django/contrib/admin/forms.py
 index 2e482b9..e1d6fef 100644
 --- a/django/contrib/admin/forms.py
 +++ b/django/contrib/admin/forms.py
 @@ -17,7 +17,8 @@ class AdminAuthenticationForm(AuthenticationForm):
  required_css_class = 'required'

  def confirm_login_allowed(self, user):
 -if not user.is_active or not user.is_staff:
 +self.request.user = user
 +if not self.request.admin_site.has_permission(self.request):
  raise forms.ValidationError(
  self.error_messages['invalid_login'],
  code='invalid_login',
 }}}

 rebasing @czpython PR it's also an option (and way cleaner as it will
 display a proper message)

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.f16ba566a38c89b546759a22d3e609f8%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #6363: Bug with has_permission method of AdminSite class.

[Django]

#6363: Bug with has_permission method of AdminSite class.
---+--
 Reporter:  michelts   |Owner:  yakky
 Type:  Bug|   Status:  assigned
Component:  contrib.admin  |  Version:  newforms-admin
 Severity:  Normal |   Resolution:
 Keywords:  nfa-someday| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  1  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--
Changes (by yakky):

 * owner:  nobody => yakky
 * status:  new => assigned


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.3361e7c81513a4b646ea440ebc094123%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #6363: Bug with has_permission method of AdminSite class.

[Django]

#6363: Bug with has_permission method of AdminSite class.
---+--
 Reporter:  michelts   |Owner:  nobody
 Type:  Bug|   Status:  new
Component:  contrib.admin  |  Version:  newforms-admin
 Severity:  Normal |   Resolution:
 Keywords:  nfa-someday| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  1  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by claudep):

 The visual quirk about user tools is gone. But there is still a small
 difference in that the authentication simply refuse the login and
 redisplay the login form without any explanation (like it would have given
 if user is not staff or password is wrong).

 Tentative resolution:
 {{{
 #!diff
 diff --git a/django/contrib/admin/forms.py b/django/contrib/admin/forms.py
 index 2e482b9..f40b2fc 100644
 --- a/django/contrib/admin/forms.py
 +++ b/django/contrib/admin/forms.py
 @@ -17,7 +17,7 @@ class AdminAuthenticationForm(AuthenticationForm):
  required_css_class = 'required'

  def confirm_login_allowed(self, user):
 -if not user.is_active or not user.is_staff:
 +if not self.request.admin_site.has_permission(self.request):
  raise forms.ValidationError(
  self.error_messages['invalid_login'],
  code='invalid_login',
 diff --git a/django/contrib/admin/sites.py b/django/contrib/admin/sites.py
 index 4b5ee57..ff6767f 100644
 --- a/django/contrib/admin/sites.py
 +++ b/django/contrib/admin/sites.py
 @@ -392,6 +392,7 @@ class AdminSite(object):
  'authentication_form': self.login_form or
 AdminAuthenticationForm,
  'template_name': self.login_template or 'admin/login.html',
  }
 +request.admin_site = self
  return login(request, **defaults)

  @never_cache
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.e9458b7d3831232cb759d771240564a5%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #6363: Bug with has_permission method of AdminSite class.

[Django]

#6363: Bug with has_permission method of AdminSite class.
---+--
 Reporter:  michelts   |Owner:  nobody
 Type:  Bug|   Status:  new
Component:  contrib.admin  |  Version:  newforms-admin
 Severity:  Normal |   Resolution:
 Keywords:  nfa-someday| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  1  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by tanner):

 I cannot reproduce this bug with master. can be closed IMO

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.51e352c651e83575ae8fff0a161579a0%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #6363: Bug with has_permission method of AdminSite class.

[Django]

#6363: Bug with has_permission method of AdminSite class.
---+--
 Reporter:  michelts   |Owner:  nobody
 Type:  Bug|   Status:  new
Component:  contrib.admin  |  Version:  newforms-admin
 Severity:  Normal |   Resolution:
 Keywords:  nfa-someday| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  1  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by timo):

 Found a patch, looks like it needs tests:

 https://github.com/django/django/pull/925

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.02774c7d8621a8c9a62073aa878bd099%40djangoproject.com?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #6363: Bug with has_permission method of AdminSite class.

[Django]

#6363: Bug with has_permission method of AdminSite class.
---+--
 Reporter:  michelts   |Owner:  nobody
 Type:  Bug|   Status:  new
Component:  contrib.admin  |  Version:  newforms-admin
 Severity:  Normal |   Resolution:
 Keywords:  nfa-someday| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  1  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by dgouldin):

 It looks like the 2 problem spots now are:

 
https://github.com/django/django/blob/master/django/contrib/admin/views/decorators.py#L14

 and

 https://github.com/django/django/blob/master/django/contrib/admin/forms.py#L41

 Both of these should be modified to use AdminSite.has_permission. *How*
 that's to be done, I don't yet have any idea. ;-)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #6363: Bug with has_permission method of AdminSite class.

[Django]

#6363: Bug with has_permission method of AdminSite class.
---+--
 Reporter:  michelts   |Owner:  nobody
 Type:  Bug|   Status:  new
Component:  contrib.admin  |  Version:  newforms-admin
 Severity:  Normal |   Resolution:
 Keywords:  nfa-someday| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  1  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--

Comment (by dgouldin):

 Just verified that this does still happen on current trunk, though the
 patch is of course very outdated at this point.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #6363: Bug with has_permission method of AdminSite class.

[Django]

#6363: Bug with has_permission method of AdminSite class.
--+-
   Reporter:  michelts|Owner:  nobody
   Type:  Bug |   Status:  new
  Milestone:  |Component:  contrib.admin
Version:  newforms-admin  | Severity:  Normal
 Resolution:  | Keywords:  nfa-someday
   Triage Stage:  Accepted|Has patch:  1
Needs documentation:  0   |  Needs tests:  1
Patch needs improvement:  0   |
--+-
Changes (by julien):

 * type:   => Bug
 * severity:   => Normal


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #6363: Bug with has_permission method of AdminSite class.

[Django]

#6363: Bug with has_permission method of AdminSite class.
+---
   Reporter:  michelts  | Owner:  nobody
 Status:  new   | Milestone:
  Component:  django.contrib.admin  |   Version:  newforms-admin
 Resolution:|  Keywords:  nfa-someday   
   Triage Stage:  Accepted  | Has patch:  1 
Needs documentation:  0 |   Needs tests:  1 
Patch needs improvement:  0 |  
+---
Changes (by net147):

 * cc: net147 (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #6363: Bug with has_permission method of AdminSite class.

[Django]

#6363: Bug with has_permission method of AdminSite class.
---+
  Reporter:  michelts  | Owner:  nobody
Status:  new   | Milestone:
 Component:  django.contrib.admin  |   Version:  newforms-admin
Resolution:|  Keywords:  nfa-someday   
 Stage:  Accepted  | Has_patch:  1 
Needs_docs:  0 |   Needs_tests:  1 
Needs_better_patch:  0 |  
---+
Changes (by ramiro):

  * needs_tests:  0 => 1

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.