#26035 closed Bug (fixed)
usertools block in admin console visible after logout
| Reported by: | Scott Pashley | Owned by: | Scott Pashley |
|---|---|---|---|
| Component: | contrib.admin | Version: | 1.8 |
| Severity: | Release blocker | Keywords: | admin, logout, ui |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | yes |
Description
When a user logs out of the admin interface, they get directed to a page (/admin/logout/) which acknowledges that the user is logged out of the system.
In the top right hand corner of the screen, the welcome string is still visible (without the username), as are the "view site" and "log out" links. This block should no longer be visible as the user is now logged out at this point.
This is happening because the block is visible as long as has_permission returns True.
I suggest that we also check that the user is authenticated using user.is_authenticated in addition to the current check.
Change History (7)
follow-up: 2 comment:1 by , 9 years ago
| Severity: | Normal → Release blocker |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Version: | master → 1.8 |
comment:2 by , 9 years ago
Replying to timgraham:
Seems to be a regression in 46068d850d8debd3611ed6499d48b9907bf07ef6, however, the suggested fix doesn't work (unless I got misinterpreted what you meant).
django/contrib/admin/sites.py
diff --git a/django/contrib/admin/sites.py b/django/contrib/admin/sites.py index af40880..2dc0d99 100644
a b class AdminSite(object): 159 159 Returns True if the given HttpRequest has permission to view 160 160 *at least one* page in the admin site. 161 161 """ 162 return request.user.is_a ctive and request.user.is_staff162 return request.user.is_authenticated() and request.user.is_active and request.user.is_staff 163 163 164 164 def check_dependencies(self): 165 165 """
Apologies, it would be in the html template :
-
django/contrib/admin/templates/admin/base.html
diff --git a/django/contrib/admin/templates/admin/base.html b/django/contrib/admin/templates/admin/base.html index 70e137c..47e4cad 100644
a b 24 24 {% block branding %}{% endblock %} 25 25 </div> 26 26 {% block usertools %} 27 {% if has_permission %}27 {% if has_permission and user.is_authenticated %} 28 28 <div id="user-tools"> 29 29 {% block welcome-msg %} 30 30 {% trans 'Welcome,' %}
Scott
comment:3 by , 9 years ago
Seems okay. Will you send a pull request with a test (can probably find an existing one and just add an assertion)? Thanks!
Seems to be a regression in 46068d850d8debd3611ed6499d48b9907bf07ef6, however, the suggested fix doesn't work (unless I got misinterpreted what you meant).
django/contrib/admin/sites.py
ctive and request.user.is_staff