summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdrian Holovaty <adrian@holovaty.com>2010-01-10 16:51:13 +0000
committerAdrian Holovaty <adrian@holovaty.com>2010-01-10 16:51:13 +0000
commit19b72077f7519236db0f5975dad01fe4466e06b8 (patch)
tree7eee46d14b98b44116e9d8388734d9912a09d800
parentb651bcb80b2046f17d8ce42fd20a1276938b52af (diff)
Fixed #8049 -- Fixed inconsistency in admin site is_active checks. Thanks for patch and tests, isagalaev
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12159 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r--django/contrib/admin/sites.py2
-rw-r--r--django/contrib/admin/templates/admin/base.html2
-rw-r--r--django/contrib/admin/views/decorators.py2
-rw-r--r--django/contrib/auth/tests/auth_backends.py5
-rw-r--r--django/core/xheaders.py2
-rw-r--r--django/middleware/doc.py3
-rw-r--r--tests/regressiontests/admin_views/tests.py16
-rw-r--r--tests/urls.py3
8 files changed, 29 insertions, 6 deletions
diff --git a/django/contrib/admin/sites.py b/django/contrib/admin/sites.py
index 10b82af0a4..d3ce7f181d 100644
--- a/django/contrib/admin/sites.py
+++ b/django/contrib/admin/sites.py
@@ -139,7 +139,7 @@ class AdminSite(object):
Returns True if the given HttpRequest has permission to view
*at least one* page in the admin site.
"""
- return request.user.is_staff
+ return request.user.is_active and request.user.is_staff
def check_dependencies(self):
"""
diff --git a/django/contrib/admin/templates/admin/base.html b/django/contrib/admin/templates/admin/base.html
index a9d281641a..d1216a114e 100644
--- a/django/contrib/admin/templates/admin/base.html
+++ b/django/contrib/admin/templates/admin/base.html
@@ -22,7 +22,7 @@
<div id="branding">
{% block branding %}{% endblock %}
</div>
- {% if user.is_staff %}
+ {% if user.is_active and user.is_staff %}
<div id="user-tools">
{% trans 'Welcome,' %}
<strong>{% firstof user.first_name user.username %}</strong>.
diff --git a/django/contrib/admin/views/decorators.py b/django/contrib/admin/views/decorators.py
index d28186e4e7..fc8582b1b8 100644
--- a/django/contrib/admin/views/decorators.py
+++ b/django/contrib/admin/views/decorators.py
@@ -28,7 +28,7 @@ def staff_member_required(view_func):
member, displaying the login page if necessary.
"""
def _checklogin(request, *args, **kwargs):
- if request.user.is_staff:
+ if request.user.is_active and request.user.is_staff:
# The user is valid. Continue to the admin page.
return view_func(request, *args, **kwargs)
diff --git a/django/contrib/auth/tests/auth_backends.py b/django/contrib/auth/tests/auth_backends.py
index af15d0b03b..3ab80f623c 100644
--- a/django/contrib/auth/tests/auth_backends.py
+++ b/django/contrib/auth/tests/auth_backends.py
@@ -29,6 +29,11 @@ class BackendTest(TestCase):
user.is_superuser = False
user.save()
self.assertEqual(user.has_perm('auth.test'), False)
+ user.is_staff = True
+ user.is_superuser = True
+ user.is_active = False
+ user.save()
+ self.assertEqual(user.has_perm('auth.test'), False)
def test_custom_perms(self):
user = User.objects.get(username='test')
diff --git a/django/core/xheaders.py b/django/core/xheaders.py
index 34335f12c5..b650a3a6d4 100644
--- a/django/core/xheaders.py
+++ b/django/core/xheaders.py
@@ -18,7 +18,7 @@ def populate_xheaders(request, response, model, object_id):
"""
from django.conf import settings
if (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS
- or (hasattr(request, 'user') and request.user.is_authenticated()
+ or (hasattr(request, 'user') and request.user.is_active
and request.user.is_staff)):
response['X-Object-Type'] = "%s.%s" % (model._meta.app_label, model._meta.object_name.lower())
response['X-Object-Id'] = str(object_id)
diff --git a/django/middleware/doc.py b/django/middleware/doc.py
index 2b4e6827f8..4f91503c43 100644
--- a/django/middleware/doc.py
+++ b/django/middleware/doc.py
@@ -12,7 +12,8 @@ class XViewMiddleware(object):
indicating the view function. This is used by the documentation module
to lookup the view function for an arbitrary page.
"""
- if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or request.user.is_staff):
+ if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or
+ (request.user.is_active and request.user.is_staff)):
response = http.HttpResponse()
response['X-View'] = "%s.%s" % (view_func.__module__, view_func.__name__)
return response
diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py
index 899fff80bc..06cb3deef8 100644
--- a/tests/regressiontests/admin_views/tests.py
+++ b/tests/regressiontests/admin_views/tests.py
@@ -602,6 +602,20 @@ class AdminViewPermissionsTest(TestCase):
self.failUnlessEqual(logged.object_id, u'1')
self.client.get('/test_admin/admin/logout/')
+ def testDisabledPermissionsWhenLoggedIn(self):
+ self.client.login(username='super', password='secret')
+ superuser = User.objects.get(username='super')
+ superuser.is_active = False
+ superuser.save()
+
+ response = self.client.get('/test_admin/admin/')
+ self.assertContains(response, 'id="login-form"')
+ self.assertNotContains(response, 'Log out')
+
+ response = self.client.get('/test_admin/admin/secure-view/')
+ open('/home/maniac/Desktop/response.html', 'w').write(response.content)
+ self.assertContains(response, 'id="login-form"')
+
class AdminViewStringPrimaryKeyTest(TestCase):
fixtures = ['admin-views-users.xml', 'string-primary-key.xml']
@@ -622,7 +636,7 @@ class AdminViewStringPrimaryKeyTest(TestCase):
response = self.client.get('/test_admin/admin/admin_views/modelwithstringprimarykey/%s/history/' % quote(self.pk))
self.assertContains(response, escape(self.pk))
self.failUnlessEqual(response.status_code, 200)
-
+
def test_get_change_view(self):
"Retrieving the object using urlencoded form of primary key should work"
response = self.client.get('/test_admin/admin/admin_views/modelwithstringprimarykey/%s/' % quote(self.pk))
diff --git a/tests/urls.py b/tests/urls.py
index 6704829231..4d123a2e8a 100644
--- a/tests/urls.py
+++ b/tests/urls.py
@@ -35,4 +35,7 @@ urlpatterns = patterns('',
# conditional get views
(r'condition/', include('regressiontests.conditional_processing.urls')),
+
+ # special headers views
+ (r'special_headers/', include('regressiontests.special_headers.urls')),
)