Code

Opened 6 years ago

Closed 6 years ago

Last modified 5 years ago

#9866 closed (fixed)

403 Permission denied on trying to add user

Reported by: a-m-m-d@… Owned by: nobody
Component: contrib.admin Version: 1.0
Severity: Keywords: admin, add user
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

If a(n admin) user is only allowed to add users, and when he tries to add users, a 403 Permission denied page is shown.
It works when the admin is allowed to only change or add users,
but does not work when he is allowed to do everything other than change users.
Adding groups work normally.

Using django 1.0.2 on debian. Thanks in advance

Attachments (0)

Change History (8)

comment:1 Changed 6 years ago by adrian

  • Component changed from Authentication to django.contrib.admin
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

I've confirmed the bug. To reproduce:

  • Create an admin user whose only permission is to add users.
  • Log in to the admin as that user.
  • Click "Add user".
  • You get a "Permission denied" page, which I believe is the result of the PermissionDenied exception.

comment:2 Changed 6 years ago by adrian

(In [9682]) Added comment to UserAdmin.add_view() explaining why we disallow users without change permissions from adding other users. Refs #9866

comment:3 Changed 6 years ago by adrian

Ahhh, I've remembered why this "bug" happens -- it's because we require both the "Add user" and "Change user" permissions in order to add a user. See the comment I added in [9682] for an explanation.

comment:4 Changed 6 years ago by adrian

(In [9684]) Added some documentation explaining (1) that it's possible to add users via the Django admin site, and (2) that in order to be able to add users via the admin site, you need to have both 'add user' and 'change user' permissions. Refs #9866

comment:5 Changed 6 years ago by adrian

(In [9683]) Improved the auth admin site to raise Http404 with a helpful error message if DEBUG is True, explaining why permission isn't denied. Refs #9866, and see also [9682]

comment:6 Changed 6 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

OK, I'm marking this as fixed, as it's actually intentional behavior, and I've now documented it and added a helpful error message if DEBUG is True. Thanks for calling it to our attention!

comment:7 Changed 6 years ago by adrian

(In [9685]) [1.0.X] Merged [9682], [9683] and [9684] from trunk. These were changes dealing with documenting and adding a helpful error message for the quirk of admin users needing 'change user' permission to add users. Refs #9866

comment:8 Changed 5 years ago by anonymous

  • milestone post-1.0 deleted

Milestone post-1.0 deleted

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.