mirror of
https://github.com/django/django.git
synced 2025-01-08 17:37:20 +00:00
Fixed #8049 -- Fixed inconsistency in admin site is_active checks. Thanks for patch and tests, isagalaev
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12159 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
b651bcb80b
commit
19b72077f7
@ -139,7 +139,7 @@ class AdminSite(object):
|
||||
Returns True if the given HttpRequest has permission to view
|
||||
*at least one* page in the admin site.
|
||||
"""
|
||||
return request.user.is_staff
|
||||
return request.user.is_active and request.user.is_staff
|
||||
|
||||
def check_dependencies(self):
|
||||
"""
|
||||
|
@ -22,7 +22,7 @@
|
||||
<div id="branding">
|
||||
{% block branding %}{% endblock %}
|
||||
</div>
|
||||
{% if user.is_staff %}
|
||||
{% if user.is_active and user.is_staff %}
|
||||
<div id="user-tools">
|
||||
{% trans 'Welcome,' %}
|
||||
<strong>{% firstof user.first_name user.username %}</strong>.
|
||||
|
@ -28,7 +28,7 @@ def staff_member_required(view_func):
|
||||
member, displaying the login page if necessary.
|
||||
"""
|
||||
def _checklogin(request, *args, **kwargs):
|
||||
if request.user.is_staff:
|
||||
if request.user.is_active and request.user.is_staff:
|
||||
# The user is valid. Continue to the admin page.
|
||||
return view_func(request, *args, **kwargs)
|
||||
|
||||
|
@ -29,6 +29,11 @@ class BackendTest(TestCase):
|
||||
user.is_superuser = False
|
||||
user.save()
|
||||
self.assertEqual(user.has_perm('auth.test'), False)
|
||||
user.is_staff = True
|
||||
user.is_superuser = True
|
||||
user.is_active = False
|
||||
user.save()
|
||||
self.assertEqual(user.has_perm('auth.test'), False)
|
||||
|
||||
def test_custom_perms(self):
|
||||
user = User.objects.get(username='test')
|
||||
|
@ -18,7 +18,7 @@ def populate_xheaders(request, response, model, object_id):
|
||||
"""
|
||||
from django.conf import settings
|
||||
if (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS
|
||||
or (hasattr(request, 'user') and request.user.is_authenticated()
|
||||
or (hasattr(request, 'user') and request.user.is_active
|
||||
and request.user.is_staff)):
|
||||
response['X-Object-Type'] = "%s.%s" % (model._meta.app_label, model._meta.object_name.lower())
|
||||
response['X-Object-Id'] = str(object_id)
|
||||
|
@ -12,7 +12,8 @@ class XViewMiddleware(object):
|
||||
indicating the view function. This is used by the documentation module
|
||||
to lookup the view function for an arbitrary page.
|
||||
"""
|
||||
if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or request.user.is_staff):
|
||||
if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or
|
||||
(request.user.is_active and request.user.is_staff)):
|
||||
response = http.HttpResponse()
|
||||
response['X-View'] = "%s.%s" % (view_func.__module__, view_func.__name__)
|
||||
return response
|
||||
|
@ -602,6 +602,20 @@ class AdminViewPermissionsTest(TestCase):
|
||||
self.failUnlessEqual(logged.object_id, u'1')
|
||||
self.client.get('/test_admin/admin/logout/')
|
||||
|
||||
def testDisabledPermissionsWhenLoggedIn(self):
|
||||
self.client.login(username='super', password='secret')
|
||||
superuser = User.objects.get(username='super')
|
||||
superuser.is_active = False
|
||||
superuser.save()
|
||||
|
||||
response = self.client.get('/test_admin/admin/')
|
||||
self.assertContains(response, 'id="login-form"')
|
||||
self.assertNotContains(response, 'Log out')
|
||||
|
||||
response = self.client.get('/test_admin/admin/secure-view/')
|
||||
open('/home/maniac/Desktop/response.html', 'w').write(response.content)
|
||||
self.assertContains(response, 'id="login-form"')
|
||||
|
||||
class AdminViewStringPrimaryKeyTest(TestCase):
|
||||
fixtures = ['admin-views-users.xml', 'string-primary-key.xml']
|
||||
|
||||
@ -622,7 +636,7 @@ class AdminViewStringPrimaryKeyTest(TestCase):
|
||||
response = self.client.get('/test_admin/admin/admin_views/modelwithstringprimarykey/%s/history/' % quote(self.pk))
|
||||
self.assertContains(response, escape(self.pk))
|
||||
self.failUnlessEqual(response.status_code, 200)
|
||||
|
||||
|
||||
def test_get_change_view(self):
|
||||
"Retrieving the object using urlencoded form of primary key should work"
|
||||
response = self.client.get('/test_admin/admin/admin_views/modelwithstringprimarykey/%s/' % quote(self.pk))
|
||||
|
@ -35,4 +35,7 @@ urlpatterns = patterns('',
|
||||
|
||||
# conditional get views
|
||||
(r'condition/', include('regressiontests.conditional_processing.urls')),
|
||||
|
||||
# special headers views
|
||||
(r'special_headers/', include('regressiontests.special_headers.urls')),
|
||||
)
|
||||
|
Loading…
Reference in New Issue
Block a user