[Django] #36576: /admin/logout/ requires being having admin access

Tue, 26 Aug 2025 18:24:00 -0700 

#36576: /admin/logout/ requires being having admin access
--------------------------+-----------------------------------------
     Reporter:  adehnert  |                     Type:  Uncategorized
       Status:  new       |                Component:  contrib.auth
      Version:  5.1       |                 Severity:  Normal
     Keywords:            |             Triage Stage:  Unreviewed
    Has patch:  0         |      Needs documentation:  0
  Needs tests:  0         |  Patch needs improvement:  0
Easy pickings:  0         |                    UI/UX:  0
--------------------------+-----------------------------------------
 If I visit /admin/logout/ while logged in as a user that doesn't have
 admin/staff access, I'm redirected to /admin/ and then to /admin/login/,
 *without* being logged out of my existing user. This feels like a bug, for
 several reasons:
 * If I don't have permission to access `/admin/logout/` for some reason,
 shouldn't I get told that, not just redirected to a login screen and left
 to guess?
 * The
 
[https://github.com/django/django/blob/c594574175e379fff356e274893d797f6e6a95fa/django/contrib/admin/sites.py#L391
 docstring for logout()] says "This should *not* assume the user is already
 logged in.", which isn't quite the same as "should log you out regardless
 of what user you are" but sorta hints in that direction to me
 * The [https://docs.djangoproject.com/en/5.2/releases/4.1/#log-out-via-get
 release notes for 4.1] suggest using `admin:logout` to log out, without
 any caveats about "all your users need to be staff" (my instinct is the
 recommendation should be `logout` not `admin:logout` regardless -- #36575
 -- but it still suggests that this behavior is unexpected).

 I looked briefly and didn't understand *how* /admin/logout/ requires admin
 access; I'm mildly suspicious of the
 
[https://github.com/django/django/commit/c7fc9f20b49b5889a9a8f47de45165ac443c1a21
 #diff-0b9b76020bca57d146eddea5c47e1e6a99744ce287a365e18a0d7685dd268f18R408
 @login_not_required decorator on `login`] but I don't know if that's
 actually relevant.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36576>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/01070198e91f6f56-564adf81-9307-4f5e-a5f3-868bbb376835-000000%40eu-central-1.amazonses.com.

Reply via email to