It is possible to get email and user names without authentication

Issue #1385 resolved
Gunnar Scherf
created an issue

AutocompleteAdmin allows get of user names and email adresses without authentication. The user should at least of type "is_staff=True". Below is a possible fix for the AutocompleteAdmin class. {{{

!python

def get_urls(self):
    from django.conf.urls.defaults import url

    def wrap(view):
        def wrapper(*args, **kwargs):
            return self.admin_site.admin_view(view)(*args, **kwargs)
        return update_wrapper(wrapper, view)

    patterns = super(AutocompleteAdmin, self).get_urls()
    info = self.admin_site.name, self.model._meta.app_label, self.model._meta.module_name
    patterns.insert(
            -1,     # insert just before (.+) rule (see django.contrib.admin.options.ModelAdmin.get_urls)
            url(r'^search/$',
                wrap(self.search),
                name='%sadmin_%s_%s_search' % info
                )
            )
    return patterns

}}}

Comments (3)

  1. Chris Moffitt repo owner

    Interesting. Is there any reason we couldn't just wrap the search view with staff_member_required?

    from django.contrib.admin.views.decorators import staff_member_required
    ...
    
    @staff_member_required
    def search(self, request):
            """
            Searches in the fields of the given related model and returns the
            result as a simple string to be used by the jQuery Autocomplete plugin
            """
            query = request.GET.get('q', None)
            app_label = request.GET.get('app_label', None)
    
    
    

    I think this approach is a little cleaner to understand but I haven't verified it fixes the issue. If it does, then let me know.

  2. Gunnar Scherf reporter

    I did not know this decorator, but the decorator does not work, because it expects a view function with the request as the first parameter. Here we have a member function with self as first parameter and request as the 2-nd. I copied the first solution from the ModelAdmin class in django, so maybe it’s a little complicated, but consistent. Thanks

  3. Log in to comment