Fixed #26035 -- Prevented user-tools from appearing on admin logout page.

AUTHORS

@@ -641,6 +641,7 @@ answer newbie questions, and generally made Django that much better:
     schwank@gmail.com
     Scot Hacker <shacker@birdhouse.org>
     Scott Barr <scott@divisionbyzero.com.au>
+    Scott Pashley <github@scottpashley.co.uk>
     scott@staplefish.com
     Sean Brant
     Sebastian Hillig <sebastian.hillig@gmail.com>

django/contrib/admin/sites.py

@@ -372,7 +372,13 @@ class AdminSite(object):
         """
         from django.contrib.auth.views import logout
         defaults = {
-            'extra_context': dict(self.each_context(request), **(extra_context or {})),
+            'extra_context': dict(
+                self.each_context(request),
+                # Since the user isn't logged out at this point, the value of
+                # has_permission must be overridden.
+                has_permission=False,
+                **(extra_context or {})
+            ),
         }
         if self.logout_template is not None:
             defaults['template_name'] = self.logout_template

docs/releases/1.8.9.txt

@@ -9,4 +9,5 @@ Django 1.8.9 fixes several bugs in 1.8.8.
 Bugfixes
 ========
 
-* ...
+* Fixed a regression that caused the "user-tools" items to display on the
+  admin's logout page (:ticket:`26035`).

docs/releases/1.9.2.txt

@@ -11,3 +11,6 @@ Bugfixes
 
 * Fixed a regression in ``ConditionalGetMiddleware`` causing ``If-None-Match`` checks
   to always return HTTP 200 (:ticket:`26024`).
+
+* Fixed a regression that caused the "user-tools" items to display on the
+  admin's logout page (:ticket:`26035`).

tests/admin_views/tests.py

@@ -5442,7 +5442,7 @@ class AdminCustomSaveRelatedTests(TestCase):
 
 @override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.SHA1PasswordHasher'],
     ROOT_URLCONF="admin_views.urls")
-class AdminViewLogoutTest(TestCase):
+class AdminViewLogoutTests(TestCase):
 
     @classmethod
     def setUpTestData(cls):
@@ -5453,16 +5453,16 @@ class AdminViewLogoutTest(TestCase):
             is_staff=True, is_active=True, date_joined=datetime.datetime(2007, 5, 30, 13, 20, 10)
         )
 
-    def setUp(self):
+    def test_logout(self):
         self.client.force_login(self.superuser)
-
-    def test_client_logout_url_can_be_used_to_login(self):
         response = self.client.get(reverse('admin:logout'))
         self.assertEqual(response.status_code, 200)
         self.assertTemplateUsed(response, 'registration/logged_out.html')
         self.assertEqual(response.request['PATH_INFO'], reverse('admin:logout'))
+        self.assertFalse(response.context['has_permission'])
+        self.assertNotContains(response, 'user-tools')  # user-tools div shouldn't visible.
 
-        # we are now logged out
+    def test_client_logout_url_can_be_used_to_login(self):
         response = self.client.get(reverse('admin:logout'))
         self.assertEqual(response.status_code, 302)  # we should be redirected to the login page.