Opened 7 years ago

Closed 6 years ago

#6977 closed (invalid)

should check has_add_permission(), not has_change_permission(), in user add view

Reported by: dfrishberg@… Owned by: mk
Component: contrib.auth Version: newforms-admin
Severity: Keywords: nfa-someday
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

django/contrib/auth/admin.py:UserAdmin:add_view(): The first thing that is done is to check whether the user has change permissions. This should be add permissions for the add view.

Attachments (1)

6977.patch (1.5 KB) - added by mk 7 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 Changed 7 years ago by Karen Tracey <kmtracey@…>

  • Keywords nfa-someday added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Looks to be the same check as is done for the old admin (see http://code.djangoproject.com/browser/django/trunk/django/contrib/admin/views/auth.py#L11). Since it doesn't seem to have been behavior introduced by nfa, should not block merge.

comment:2 Changed 7 years ago by Karen Tracey <kmtracey@…>

#7606 is a dup

comment:3 Changed 7 years ago by Karen Tracey <kmtracey@…>

  • Triage Stage changed from Unreviewed to Accepted

comment:4 Changed 7 years ago by mk

  • Has patch set
  • Owner changed from nobody to mk
  • Status changed from new to assigned

It's not as simple as just changing has_change_permission to has_add_permission. The place where the user should be redirected to has to be determined with has_change_permission (either continue editing the newly created user or redirect to the admin frontpage).

Changed 7 years ago by mk

comment:5 Changed 7 years ago by mk

  • Component changed from Uncategorized to Authentication

comment:6 Changed 6 years ago by mk

  • Resolution set to invalid
  • Status changed from assigned to closed

From django/contrib/auth/admin.py:

def add_view(self, request):

# It's an error for a user to have add permission but NOT change
# permission for users. If we allowed such users to add users, they
# could create superusers, which would mean they would essentially have
# the permission to change users. To avoid the problem entirely, we
# disallow users from adding users if they don't have change
# permission.

Note: See TracTickets for help on using tickets.
Back to Top