Opened 17 years ago
Last modified 8 months ago
#6363 assigned Bug
Login page is redisplayed without any message if AdminSite.has_permission() returns False
Reported by: | Michel Sabchuk | Owned by: | Ahtisham Shafi |
---|---|---|---|
Component: | contrib.admin | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | net147 | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | yes | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I found a bug when using the has_permission method of the AdminSite class to filter which users can access the admin page:
class SuperuserAdminSite(admin.AdminSite): def has_permission(self, request): return super(SuperuserAdminSite, self).has_permission(request) and request.user.is_superuser admin_site = SuperuserAdminSite()
When I try to log on a user that is not a superuser, it already get the login but stay on the login page (with the header but no application loaded), I think this is a bug :) The user should get a error message as if it passed a wrong password or such, isn´t it?
Attachments (3)
Change History (20)
comment:1 by , 16 years ago
Component: | Uncategorized → Admin interface |
---|---|
Version: | SVN → newforms-admin |
comment:2 by , 16 years ago
Has patch: | set |
---|---|
Keywords: | nfa-someday added |
Triage Stage: | Unreviewed → Accepted |
I think I see the problem. If you try to create a SuperuserAdminSite that only superusers are allowed to login to, as shown by the supplied code, then when you navigate to that site and present login information for a staff (but not superuser) user and press the "Log In" button, the login page is redisplayed without any error messages, plus the user-tools links div overlays the login form (I'll attach an image).
Problem is the base AdminSite during login assumes that any user that is_staff can access the admin site. I've created a patch that fixes this. Logic is a little more convoluted than I'd like because the has_permission method takes a request object and the user logging in is only associated with the request object after login() is called, so in the case where the user is a staff member but doesn't pass the site's has_permission test you have to call login to get the user attached to the request, then has_permission to check for permissions, then logout to detach the insufficiently qualified user from the request and replace them with the AnonymousUser again.
Accepting based on the assumption that this is something one should be able to do in newforms-admin? Feel free to correct me if I'm wrong on that though. Tagging nfa-someday since I don't see it as super high-priority.
by , 16 years ago
Attachment: | weirdness.png added |
---|
by , 16 years ago
by , 16 years ago
Attachment: | 6363-1.diff added |
---|
Fixed patch -- like I said this logic is more convoluted than I like
comment:3 by , 14 years ago
Needs tests: | set |
---|
comment:4 by , 14 years ago
Cc: | added |
---|
comment:5 by , 14 years ago
Severity: | → Normal |
---|---|
Type: | → Bug |
comment:8 by , 12 years ago
Just verified that this does still happen on current trunk, though the patch is of course very outdated at this point.
comment:9 by , 12 years ago
It looks like the 2 problem spots now are:
https://github.com/django/django/blob/master/django/contrib/admin/views/decorators.py#L14
and
https://github.com/django/django/blob/master/django/contrib/admin/forms.py#L41
Both of these should be modified to use AdminSite.has_permission. *How* that's to be done, I don't yet have any idea. ;-)
comment:12 by , 10 years ago
The visual quirk about user tools is gone. But there is still a small difference in that the authentication simply refuse the login and redisplay the login form without any explanation (like it would have given if user is not staff or password is wrong).
Tentative resolution:
-
django/contrib/admin/forms.py
diff --git a/django/contrib/admin/forms.py b/django/contrib/admin/forms.py index 2e482b9..f40b2fc 100644
a b class AdminAuthenticationForm(AuthenticationForm): 17 17 required_css_class = 'required' 18 18 19 19 def confirm_login_allowed(self, user): 20 if not user.is_active or not user.is_staff:20 if not self.request.admin_site.has_permission(self.request): 21 21 raise forms.ValidationError( 22 22 self.error_messages['invalid_login'], 23 23 code='invalid_login', -
django/contrib/admin/sites.py
diff --git a/django/contrib/admin/sites.py b/django/contrib/admin/sites.py index 4b5ee57..ff6767f 100644
a b class AdminSite(object): 392 392 'authentication_form': self.login_form or AdminAuthenticationForm, 393 393 'template_name': self.login_template or 'admin/login.html', 394 394 } 395 request.admin_site = self 395 396 return login(request, **defaults) 396 397 397 398 @never_cache
comment:13 by , 10 years ago
@claudep proposed solution almost works, but request in confirm_login_allowed
still does not carry the actual user, but the pre-login one (which is likely AnonymousUser
).
A solution would be setting the user on request before passing to AdminSite.has_permission
(eventually resetting it to the original after that).
Does it sound good?
-
django/contrib/admin/forms.py
diff --git a/django/contrib/admin/forms.py b/django/contrib/admin/forms.py index 2e482b9..e1d6fef 100644
a b class AdminAuthenticationForm(AuthenticationForm): 17 17 required_css_class = 'required' 18 18 19 19 def confirm_login_allowed(self, user): 20 if not user.is_active or not user.is_staff: 20 self.request.user = user 21 if not self.request.admin_site.has_permission(self.request): 21 22 raise forms.ValidationError( 22 23 self.error_messages['invalid_login'], 23 24 code='invalid_login',
rebasing @czpython PR it's also an option (and way cleaner as it will display a proper message)
comment:14 by , 10 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:15 by , 8 years ago
Keywords: | nfa-someday removed |
---|---|
Summary: | Bug with has_permission method of AdminSite class. → Login page is redisplayed without any message if AdminSite.has_permission() returns False |
Version: | newforms-admin → master |
This may be addressed by #25163 which added this message to the login page if AdminSite.has_permission()
returns False
:
You are authenticated as <username>, but are not authorized to access this page. Would you like to login to a different account?
I haven't checked if the previously proposed patches might be a further improvement.
comment:16 by , 2 years ago
Owner: | removed |
---|---|
Status: | assigned → new |
comment:17 by , 8 months ago
Owner: | set to |
---|---|
Status: | new → assigned |
I assume this has to do with newforms-admin branch?
The ticket is 5 months old, could you please check if it's still valid?