From aeed2cf3b23161f228c8b221e56ea4d8a7cf71aa Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Mon, 9 Sep 2013 07:59:35 -0400
Subject: [PATCH] Added a test to show that the user.is_staff check in admin
 base.html is necessary.

refs #21067
---
 tests/admin_views/tests.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
index 18d06f075c..ac289c550a 100644
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -1296,6 +1296,19 @@ class AdminViewPermissionsTest(TestCase):
         response = self.client.get('/test_admin/admin/secure-view/')
         self.assertContains(response, 'id="login-form"')
 
+    def testDisabledStaffPermissionsWhenLoggedIn(self):
+        self.client.login(username='super', password='secret')
+        superuser = User.objects.get(username='super')
+        superuser.is_staff = False
+        superuser.save()
+
+        response = self.client.get('/test_admin/admin/')
+        self.assertContains(response, 'id="login-form"')
+        self.assertNotContains(response, 'Log out')
+
+        response = self.client.get('/test_admin/admin/secure-view/')
+        self.assertContains(response, 'id="login-form"')
+
 
 @override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',))
 class AdminViewsNoUrlTest(TestCase):