Redirect superusers to /admin on login

malcolmbaig · malcolmbaig · commit aa6b90479340 · 2026-03-20T12:10:05.000Z
Make this change for both Persona and CIS2 logins. The initial idea here
was to also check for provider assignments and only redirect if none
existed. I've opted to redirect regardless as it's trivial to navigate
back to the app from the admin screen.

I've also added 'next' param support for superusers to redirect back to
a page on the service after Persona login if the superuser's session
timed out.
diff --git a/manage_breast_screening/auth/demo_views.py b/manage_breast_screening/auth/demo_views.py
@@ -18,9 +18,9 @@
 @csrf_exempt
 @login_not_required
 def persona_login(request):
-    next_path = extract_relative_redirect_url(
-        request, parameter_name="next", default="/"
-    )
+    next_path = extract_relative_redirect_url(request, parameter_name="next")
+    if next_path == "/":
+        next_path = None
 
     if request.method == "POST":
         try:
@@ -34,8 +34,8 @@ def persona_login(request):
         now = timezone.now()
         request.session["login_time"] = now.isoformat()
 
-        if request.user.is_superuser:
-            redirect_url = next_path
+        if request.user.is_superuser and not next_path:
+            redirect_url = reverse("admin:index")
         else:
             redirect_url = reverse("select_provider")
             if next_path:
diff --git a/manage_breast_screening/auth/tests/test_views.py b/manage_breast_screening/auth/tests/test_views.py
@@ -18,6 +18,7 @@ def personas():
             nhs_uid=persona.username,
             first_name=persona.first_name,
             last_name=persona.last_name,
+            is_superuser=persona.is_superuser,
         )
         UserAssignmentFactory(
             user=user,
@@ -51,6 +52,36 @@ def test_post_persona_login(client):
     assert response.headers["location"] == "/current-provider/select/?next=%2Fsome-url"
 
 
+@pytest.mark.django_db
+def test_post_persona_login_superuser_redirects_to_admin(client):
+    response = client.post(
+        reverse("auth:persona_login"),
+        {"username": "priya_bains"},
+    )
+    assert response.status_code == 302
+    assert response.headers["location"] == "/admin/"
+
+
+@pytest.mark.django_db
+def test_post_persona_login_superuser_with_root_next_redirects_to_admin(client):
+    response = client.post(
+        reverse("auth:persona_login"),
+        {"username": "priya_bains", "next": "/"},
+    )
+    assert response.status_code == 302
+    assert response.headers["location"] == "/admin/"
+
+
+@pytest.mark.django_db
+def test_post_persona_login_superuser_with_next_redirects_to_select_provider(client):
+    response = client.post(
+        reverse("auth:persona_login"),
+        {"username": "priya_bains", "next": "/some-url"},
+    )
+    assert response.status_code == 302
+    assert response.headers["location"] == "/current-provider/select/?next=%2Fsome-url"
+
+
 @pytest.mark.django_db
 @override_settings(CIS2_ACR_VALUES="some-test-acr-value")
 def test_cis2_login_uses_configured_acr_values(client, monkeypatch):
@@ -187,6 +218,7 @@ def test_accepts_valid_assurance_levels(
 
             mock_user = Mock()
             mock_user.nhs_uid = "user-123"
+            mock_user.is_superuser = False
             mock_authenticate = Mock(return_value=mock_user)
             mock_login = Mock()
 
@@ -208,3 +240,24 @@ def test_accepts_valid_assurance_levels(
                 ANY, cis2_sub="user-123", cis2_userinfo={"sub": "user-123"}
             )
             mock_login.assert_called_once_with(ANY, mock_user)
+
+    def test_superuser_redirects_to_admin(
+        self, client, monkeypatch, mock_cis2_client_factory
+    ):
+        """Superusers should always be sent to the admin site after login."""
+        mock_cis2_client_factory()
+
+        mock_user = Mock()
+        mock_user.nhs_uid = "user-123"
+        mock_user.is_superuser = True
+
+        monkeypatch.setattr(
+            "manage_breast_screening.auth.views.authenticate",
+            Mock(return_value=mock_user),
+        )
+        monkeypatch.setattr("manage_breast_screening.auth.views.auth_login", Mock())
+
+        response = client.get(reverse("auth:cis2_callback"))
+
+        assert response.status_code == 302
+        assert response.headers["location"] == "/admin/"
diff --git a/manage_breast_screening/auth/views.py b/manage_breast_screening/auth/views.py
@@ -115,6 +115,9 @@ def cis2_callback(request):
     request.session["login_time"] = now.isoformat()
     request.session["last_activity"] = now.isoformat()
 
+    if user.is_superuser:
+        return redirect(reverse("admin:index"))
+
     return redirect(reverse("select_provider"))
 
 
