Opened 8 years ago

Closed 6 years ago

#6977 closed (invalid)

should check has_add_permission(), not has_change_permission(), in user add view

Reported by: dfrishberg@… Owned by: mk
Component: contrib.auth Version: newforms-admin
Severity: Keywords: nfa-someday
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


django/contrib/auth/ The first thing that is done is to check whether the user has change permissions. This should be add permissions for the add view.

Attachments (1)

6977.patch (1.5 KB) - added by mk 7 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 Changed 7 years ago by Karen Tracey <kmtracey@…>

  • Keywords nfa-someday added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Looks to be the same check as is done for the old admin (see Since it doesn't seem to have been behavior introduced by nfa, should not block merge.

comment:2 Changed 7 years ago by Karen Tracey <kmtracey@…>

#7606 is a dup

comment:3 Changed 7 years ago by Karen Tracey <kmtracey@…>

  • Triage Stage changed from Unreviewed to Accepted

comment:4 Changed 7 years ago by mk

  • Has patch set
  • Owner changed from nobody to mk
  • Status changed from new to assigned

It's not as simple as just changing has_change_permission to has_add_permission. The place where the user should be redirected to has to be determined with has_change_permission (either continue editing the newly created user or redirect to the admin frontpage).

Changed 7 years ago by mk

comment:5 Changed 7 years ago by mk

  • Component changed from Uncategorized to Authentication

comment:6 Changed 6 years ago by mk

  • Resolution set to invalid
  • Status changed from assigned to closed

From django/contrib/auth/

def add_view(self, request):

# It's an error for a user to have add permission but NOT change
# permission for users. If we allowed such users to add users, they
# could create superusers, which would mean they would essentially have
# the permission to change users. To avoid the problem entirely, we
# disallow users from adding users if they don't have change
# permission.

Note: See TracTickets for help on using tickets.
Back to Top