Fixed #8049 -- Fixed inconsistency in admin site is_active checks. Thanks for patch and tests, isagalaev

git-svn-id: http://code.djangoproject.com/svn/django/trunk@12159 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-10 16:51:13 +00:00 · 2010-01-10 16:51:13 +00:00 · 19b72077f7
parent b651bcb80b
commit 19b72077f7
8 changed files with 29 additions and 6 deletions
--- a/django/contrib/admin/sites.py
+++ b/django/contrib/admin/sites.py
@ -139,7 +139,7 @@ class AdminSite(object):
        Returns True if the given HttpRequest has permission to view
        *at least one* page in the admin site.
        """
-        return request.user.is_staff
+        return request.user.is_active and request.user.is_staff

    def check_dependencies(self):
        """
--- a/django/contrib/admin/templates/admin/base.html
+++ b/django/contrib/admin/templates/admin/base.html
@ -22,7 +22,7 @@
        <div id="branding">
        {% block branding %}{% endblock %}
        </div>
-        {% if user.is_staff %}
+        {% if user.is_active and user.is_staff %}
        <div id="user-tools">
            {% trans 'Welcome,' %}
            <strong>{% firstof user.first_name user.username %}</strong>.
--- a/django/contrib/admin/views/decorators.py
+++ b/django/contrib/admin/views/decorators.py
@ -28,7 +28,7 @@ def staff_member_required(view_func):
    member, displaying the login page if necessary.
    """
    def _checklogin(request, *args, **kwargs):
-        if request.user.is_staff:
+        if request.user.is_active and request.user.is_staff:
            # The user is valid. Continue to the admin page.
            return view_func(request, *args, **kwargs)

--- a/django/contrib/auth/tests/auth_backends.py
+++ b/django/contrib/auth/tests/auth_backends.py
@ -29,6 +29,11 @@ class BackendTest(TestCase):
        user.is_superuser = False
        user.save()
        self.assertEqual(user.has_perm('auth.test'), False)
+        user.is_staff = True
+        user.is_superuser = True
+        user.is_active = False
+        user.save()
+        self.assertEqual(user.has_perm('auth.test'), False)

    def test_custom_perms(self):
        user = User.objects.get(username='test')
--- a/django/core/xheaders.py
+++ b/django/core/xheaders.py
@ -18,7 +18,7 @@ def populate_xheaders(request, response, model, object_id):
    """
    from django.conf import settings
    if (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS
-            or (hasattr(request, 'user') and request.user.is_authenticated()
+            or (hasattr(request, 'user') and request.user.is_active
                and request.user.is_staff)):
        response['X-Object-Type'] = "%s.%s" % (model._meta.app_label, model._meta.object_name.lower())
        response['X-Object-Id'] = str(object_id)
--- a/django/middleware/doc.py
+++ b/django/middleware/doc.py
@ -12,7 +12,8 @@ class XViewMiddleware(object):
        indicating the view function.  This is used by the documentation module
        to lookup the view function for an arbitrary page.
        """
-        if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or request.user.is_staff):
+        if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or
+                                         (request.user.is_active and request.user.is_staff)):
            response = http.HttpResponse()
            response['X-View'] = "%s.%s" % (view_func.__module__, view_func.__name__)
            return response
--- a/tests/regressiontests/admin_views/tests.py
+++ b/tests/regressiontests/admin_views/tests.py
@ -602,6 +602,20 @@ class AdminViewPermissionsTest(TestCase):
        self.failUnlessEqual(logged.object_id, u'1')
        self.client.get('/test_admin/admin/logout/')

+    def testDisabledPermissionsWhenLoggedIn(self):
+        self.client.login(username='super', password='secret')
+        superuser = User.objects.get(username='super')
+        superuser.is_active = False
+        superuser.save()
+
+        response = self.client.get('/test_admin/admin/')
+        self.assertContains(response, 'id="login-form"')
+        self.assertNotContains(response, 'Log out')
+
+        response = self.client.get('/test_admin/admin/secure-view/')
+        open('/home/maniac/Desktop/response.html', 'w').write(response.content)
+        self.assertContains(response, 'id="login-form"')
+
 class AdminViewStringPrimaryKeyTest(TestCase):
    fixtures = ['admin-views-users.xml', 'string-primary-key.xml']

@ -622,7 +636,7 @@ class AdminViewStringPrimaryKeyTest(TestCase):
        response = self.client.get('/test_admin/admin/admin_views/modelwithstringprimarykey/%s/history/' % quote(self.pk))
        self.assertContains(response, escape(self.pk))
        self.failUnlessEqual(response.status_code, 200)
- 
+
    def test_get_change_view(self):
        "Retrieving the object using urlencoded form of primary key should work"
        response = self.client.get('/test_admin/admin/admin_views/modelwithstringprimarykey/%s/' % quote(self.pk))
--- a/tests/urls.py
+++ b/tests/urls.py
@ -35,4 +35,7 @@ urlpatterns = patterns('',

    # conditional get views
    (r'condition/', include('regressiontests.conditional_processing.urls')),
+
+    # special headers views
+    (r'special_headers/', include('regressiontests.special_headers.urls')),
 )