Opened 9 years ago

Closed 7 years ago

#6977 closed (invalid)

should check has_add_permission(), not has_change_permission(), in user add view

Reported by: dfrishberg@… Owned by: Matthias Kestenholz
Component: contrib.auth Version: newforms-admin
Severity: Keywords: nfa-someday
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


django/contrib/auth/ The first thing that is done is to check whether the user has change permissions. This should be add permissions for the add view.

Attachments (1)

6977.patch (1.5 KB) - added by Matthias Kestenholz 8 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 Changed 8 years ago by Karen Tracey <kmtracey@…>

Keywords: nfa-someday added
Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset

Looks to be the same check as is done for the old admin (see Since it doesn't seem to have been behavior introduced by nfa, should not block merge.

comment:2 Changed 8 years ago by Karen Tracey <kmtracey@…>

#7606 is a dup

comment:3 Changed 8 years ago by Karen Tracey <kmtracey@…>

Triage Stage: UnreviewedAccepted

comment:4 Changed 8 years ago by Matthias Kestenholz

Has patch: set
Owner: changed from nobody to Matthias Kestenholz
Status: newassigned

It's not as simple as just changing has_change_permission to has_add_permission. The place where the user should be redirected to has to be determined with has_change_permission (either continue editing the newly created user or redirect to the admin frontpage).

Changed 8 years ago by Matthias Kestenholz

Attachment: 6977.patch added

comment:5 Changed 8 years ago by Matthias Kestenholz

Component: UncategorizedAuthentication

comment:6 Changed 7 years ago by Matthias Kestenholz

Resolution: invalid
Status: assignedclosed

From django/contrib/auth/

def add_view(self, request):

# It's an error for a user to have add permission but NOT change
# permission for users. If we allowed such users to add users, they
# could create superusers, which would mean they would essentially have
# the permission to change users. To avoid the problem entirely, we
# disallow users from adding users if they don't have change
# permission.

Note: See TracTickets for help on using tickets.
Back to Top