Opened 16 years ago
Closed 15 years ago
#6977 closed (invalid)
should check has_add_permission(), not has_change_permission(), in user add view
| Reported by: | Owned by: | Matthias Kestenholz | |
|---|---|---|---|
| Component: | contrib.auth | Version: | newforms-admin |
| Severity: | Keywords: | nfa-someday | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
django/contrib/auth/admin.py:UserAdmin:add_view(): The first thing that is done is to check whether the user has change permissions. This should be add permissions for the add view.
Attachments (1)
Change History (7)
comment:1 by , 16 years ago
| Keywords: | nfa-someday added |
|---|
comment:3 by , 16 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:4 by , 16 years ago
| Has patch: | set |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
It's not as simple as just changing has_change_permission to has_add_permission. The place where the user should be redirected to has to be determined with has_change_permission (either continue editing the newly created user or redirect to the admin frontpage).
by , 16 years ago
| Attachment: | 6977.patch added |
|---|
comment:5 by , 16 years ago
| Component: | Uncategorized → Authentication |
|---|
comment:6 by , 15 years ago
| Resolution: | → invalid |
|---|---|
| Status: | assigned → closed |
From django/contrib/auth/admin.py:
def add_view(self, request):
# It's an error for a user to have add permission but NOT change
# permission for users. If we allowed such users to add users, they
# could create superusers, which would mean they would essentially have
# the permission to change users. To avoid the problem entirely, we
# disallow users from adding users if they don't have change
# permission.
Looks to be the same check as is done for the old admin (see http://code.djangoproject.com/browser/django/trunk/django/contrib/admin/views/auth.py#L11). Since it doesn't seem to have been behavior introduced by nfa, should not block merge.