Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#24567 closed Bug (invalid)

/admin/auth/user/add/ requires "auth | user | Can change user" permission

Reported by: Michael Angeletti Owned by: nobody
Component: contrib.admin Version: 1.8
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I'm getting a 403 when I visit the /admin/auth/user/add/ with a staff User that has only auth | user | Can add user permission. After adding auth | user | Can change user, I'm able to access the aforementioned URL without issue.

Change History (3)

comment:1 Changed 4 years ago by Tim Graham

Resolution: invalid
Status: newclosed

This is expected behavior. Please see the auth documentation.

Also note: if you want a user account to be able to create users using the Django admin site, you’ll need to give them permission to add users and change users (i.e., the “Add user” and “Change user” permissions). If an account has permission to add users but not to change them, that account won’t be able to add users. Why? Because if you have permission to add users, you have the power to create superusers, which can then, in turn, change other users. So Django requires add and change permissions as a slight security measure.

comment:2 Changed 4 years ago by Michael Angeletti

Ah, I see. Thanks for the explanation, @timgraham.

Because the User create form includes only username and password fields (no permission and staff/superuser fields), I wonder if it's worth exploring the option of changing this (e.g., user with only "can add User" permission adds a User with a username and password, is redirected back to the User list view).

comment:3 Changed 4 years ago by Tim Graham

Maybe... I didn't research when that restriction was added to see if things have changed since then.

Note: See TracTickets for help on using tickets.
Back to Top