403 Permission denied on trying to add user

[a-m-m-d@…]

If a(n admin) user is only allowed to add users, and when he tries to add users, a 403 Permission denied page is shown.
It works when the admin is allowed to only change or add users,
but does not work when he is allowed to do everything other than change users.
Adding groups work normally.

Using django 1.0.2 on debian. Thanks in advance

[Adrian Holovaty]

I've confirmed the bug. To reproduce:

• Create an admin user whose only permission is to add users.
• Log in to the admin as that user.
• Click "Add user".
• You get a "Permission denied" page, which I believe is the result of the PermissionDenied exception.

[Adrian Holovaty]

(In [9682]) Added comment to UserAdmin.add_view() explaining why we disallow users without change permissions from adding other users. Refs #9866

[Adrian Holovaty]

Ahhh, I've remembered why this "bug" happens -- it's because we require both the "Add user" and "Change user" permissions in order to add a user. See the comment I added in [9682] for an explanation.

[Adrian Holovaty]

(In [9684]) Added some documentation explaining (1) that it's possible to add users via the Django admin site, and (2) that in order to be able to add users via the admin site, you need to have both 'add user' and 'change user' permissions. Refs #9866

[Adrian Holovaty]

(In [9683]) Improved the auth admin site to raise Http404 with a helpful error message if DEBUG is True, explaining why permission isn't denied. Refs #9866, and see also [9682]

[Adrian Holovaty]

OK, I'm marking this as fixed, as it's actually intentional behavior, and I've now documented it and added a helpful error message if DEBUG is True. Thanks for calling it to our attention!

[Adrian Holovaty]

(In [9685]) [1.0.X] Merged [9682], [9683] and [9684] from trunk. These were changes dealing with documenting and adding a helpful error message for the quirk of admin users needing 'change user' permission to add users. Refs #9866

[(none)]

Milestone post-1.0 deleted