From 413d1bd1c724a4468f51eae11d2738360c994fd8 Mon Sep 17 00:00:00 2001
From: David Barnes <barnesdavidj@gmail.com>
Date: Fri, 26 Aug 2022 20:15:22 -0400
Subject: [PATCH] Fix bug in AuthMiddleware where having strict mode on would
 accidently deny all admin views.

---
 adminlte2_pdq/middleware.py |  1 +
 tests/test_middleware.py    | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/adminlte2_pdq/middleware.py b/adminlte2_pdq/middleware.py
index a2fc91f..0463a6f 100644
--- a/adminlte2_pdq/middleware.py
+++ b/adminlte2_pdq/middleware.py
@@ -120,6 +120,7 @@ class AuthMiddleware:
                 current_url_name in STRICT_POLICY_WHITELIST
                 or fully_qualified_url_name in STRICT_POLICY_WHITELIST
                 or path in STRICT_POLICY_WHITELIST
+                or app_name == 'admin'
             ):
                 exempt = True
 
diff --git a/tests/test_middleware.py b/tests/test_middleware.py
index 160a16d..00871fb 100644
--- a/tests/test_middleware.py
+++ b/tests/test_middleware.py
@@ -328,6 +328,25 @@ class MiddlewareTestCase(TestCase):
         self.assertEqual(response.status_code, 200)
         self.assertContains(response, "Demo CSS")
 
+    # **************************************************************************
+    # Logged In User - All Perms - Staff Status - Can see Admin page.
+    # **************************************************************************
+
+    @patch('adminlte2_pdq.middleware.LOGIN_REQUIRED', True)
+    @patch('adminlte2_pdq.middleware.STRICT_POLICY', True)
+    def test_middleware_allows_admin_when_user_logged_in_login_on_strict_on_login_wl_on_strict_wl_on(self):
+        """test_middleware_allows_admin_when_user_logged_in_login_on_strict_on_login_wl_on_strict_wl_on"""
+        self.test_user_w_perms.is_staff = True
+        self.test_user_w_perms.save()
+        self.client.force_login(self.test_user_w_perms)
+        response = self.client.get(
+            reverse('admin:auth_user_changelist'),
+            follow=True
+        )
+        print(response.content.decode())
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, "Select user to change")
+
     # **************************************************************************
     # Logged In User - All Perms - Visiting 404
     # **************************************************************************
-- 
GitLab