1
0
mirror of https://github.com/django/django.git synced 2025-10-25 14:46:09 +00:00

Fixed #8049 -- Fixed inconsistency in admin site is_active checks. Thanks for patch and tests, isagalaev

git-svn-id: http://code.djangoproject.com/svn/django/trunk@12159 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Adrian Holovaty
2010-01-10 16:51:13 +00:00
parent b651bcb80b
commit 19b72077f7
8 changed files with 29 additions and 6 deletions

View File

@@ -139,7 +139,7 @@ class AdminSite(object):
Returns True if the given HttpRequest has permission to view
*at least one* page in the admin site.
"""
return request.user.is_staff
return request.user.is_active and request.user.is_staff
def check_dependencies(self):
"""

View File

@@ -22,7 +22,7 @@
<div id="branding">
{% block branding %}{% endblock %}
</div>
{% if user.is_staff %}
{% if user.is_active and user.is_staff %}
<div id="user-tools">
{% trans 'Welcome,' %}
<strong>{% firstof user.first_name user.username %}</strong>.

View File

@@ -28,7 +28,7 @@ def staff_member_required(view_func):
member, displaying the login page if necessary.
"""
def _checklogin(request, *args, **kwargs):
if request.user.is_staff:
if request.user.is_active and request.user.is_staff:
# The user is valid. Continue to the admin page.
return view_func(request, *args, **kwargs)

View File

@@ -29,6 +29,11 @@ class BackendTest(TestCase):
user.is_superuser = False
user.save()
self.assertEqual(user.has_perm('auth.test'), False)
user.is_staff = True
user.is_superuser = True
user.is_active = False
user.save()
self.assertEqual(user.has_perm('auth.test'), False)
def test_custom_perms(self):
user = User.objects.get(username='test')

View File

@@ -18,7 +18,7 @@ def populate_xheaders(request, response, model, object_id):
"""
from django.conf import settings
if (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS
or (hasattr(request, 'user') and request.user.is_authenticated()
or (hasattr(request, 'user') and request.user.is_active
and request.user.is_staff)):
response['X-Object-Type'] = "%s.%s" % (model._meta.app_label, model._meta.object_name.lower())
response['X-Object-Id'] = str(object_id)

View File

@@ -12,7 +12,8 @@ class XViewMiddleware(object):
indicating the view function. This is used by the documentation module
to lookup the view function for an arbitrary page.
"""
if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or request.user.is_staff):
if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or
(request.user.is_active and request.user.is_staff)):
response = http.HttpResponse()
response['X-View'] = "%s.%s" % (view_func.__module__, view_func.__name__)
return response

View File

@@ -602,6 +602,20 @@ class AdminViewPermissionsTest(TestCase):
self.failUnlessEqual(logged.object_id, u'1')
self.client.get('/test_admin/admin/logout/')
def testDisabledPermissionsWhenLoggedIn(self):
self.client.login(username='super', password='secret')
superuser = User.objects.get(username='super')
superuser.is_active = False
superuser.save()
response = self.client.get('/test_admin/admin/')
self.assertContains(response, 'id="login-form"')
self.assertNotContains(response, 'Log out')
response = self.client.get('/test_admin/admin/secure-view/')
open('/home/maniac/Desktop/response.html', 'w').write(response.content)
self.assertContains(response, 'id="login-form"')
class AdminViewStringPrimaryKeyTest(TestCase):
fixtures = ['admin-views-users.xml', 'string-primary-key.xml']

View File

@@ -35,4 +35,7 @@ urlpatterns = patterns('',
# conditional get views
(r'condition/', include('regressiontests.conditional_processing.urls')),
# special headers views
(r'special_headers/', include('regressiontests.special_headers.urls')),
)