It is possible to get email and user names without authentication

Create issue
Issue #1385 resolved
Gunnar Scherf created an issue

AutocompleteAdmin allows get of user names and email adresses without authentication. The user should at least of type "is_staff=True". Below is a possible fix for the AutocompleteAdmin class. {{{ #!python def get_urls(self): from django.conf.urls.defaults import url

    def wrap(view):
        def wrapper(*args, **kwargs):
            return self.admin_site.admin_view(view)(*args, **kwargs)
        return update_wrapper(wrapper, view)

    patterns = super(AutocompleteAdmin, self).get_urls()
    info =, self.model._meta.app_label, self.model._meta.module_name
            -1,     # insert just before (.+) rule (see django.contrib.admin.options.ModelAdmin.get_urls)
                name='%sadmin_%s_%s_search' % info
    return patterns


Comments (3)

  1. Chris Moffitt repo owner

    Interesting. Is there any reason we couldn't just wrap the search view with staff_member_required?

    from django.contrib.admin.views.decorators import staff_member_required
    def search(self, request):
            Searches in the fields of the given related model and returns the
            result as a simple string to be used by the jQuery Autocomplete plugin
            query = request.GET.get('q', None)
            app_label = request.GET.get('app_label', None)

    I think this approach is a little cleaner to understand but I haven't verified it fixes the issue. If it does, then let me know.

  2. Gunnar Scherf reporter

    I did not know this decorator, but the decorator does not work, because it expects a view function with the request as the first parameter. Here we have a member function with self as first parameter and request as the 2-nd. I copied the first solution from the ModelAdmin class in django, so maybe it’s a little complicated, but consistent. Thanks

  3. Log in to comment