#14434: AdminSite should check self.has_permission in self.login
--------------------------+-------------------------------------------------
Reporter: bkonkle | Owner: nobody
Status: new | Milestone:
Component: Contrib apps | Version: 1.2
Keywords: admin views | Stage: Unreviewed
Has_patch: 1 |
--------------------------+-------------------------------------------------
At the end of the ''login'' method on {{{
django.contrib.admin.sites.AdminSite }}}, if the user data is correct the
method checks for ''user.is_active'' and ''user.is_staff'' and then logs
the user in. The ''admin_view'' method calls the ''has_permission''
method, which also checks for ''user.is_active'' and ''user.is_staff'' by
default. Putting this into a separate method provides an extension point,
however, to customize the permissions checked.
The fact that the ''login'' method doesn't check ''has_permission'' but
checks ''is_active'' and ''is_staff'' explicitly is redundant and breaks
the customization if a developer wants to create a separate, limited admin
site where user.is_staff isn't a requirement. A use case would be in
multi-tenancy situations, where users with a special permission may be
able to access a site-specific admin site where they can only access data
for their site.
--
Ticket URL: <http://code.djangoproject.com/ticket/14434>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
