Opened 15 years ago

Closed 15 years ago

Last modified 15 years ago

#9866 closed (fixed)

403 Permission denied on trying to add user

Reported by: a-m-m-d@… Owned by: nobody
Component: contrib.admin Version: 1.0
Severity: Keywords: admin, add user
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If a(n admin) user is only allowed to add users, and when he tries to add users, a 403 Permission denied page is shown.
It works when the admin is allowed to only change or add users,
but does not work when he is allowed to do everything other than change users.
Adding groups work normally.

Using django 1.0.2 on debian. Thanks in advance

Change History (8)

comment:1 by Adrian Holovaty, 15 years ago

Component: Authenticationdjango.contrib.admin
Triage Stage: UnreviewedAccepted

I've confirmed the bug. To reproduce:

  • Create an admin user whose only permission is to add users.
  • Log in to the admin as that user.
  • Click "Add user".
  • You get a "Permission denied" page, which I believe is the result of the PermissionDenied exception.

comment:2 by Adrian Holovaty, 15 years ago

(In [9682]) Added comment to UserAdmin.add_view() explaining why we disallow users without change permissions from adding other users. Refs #9866

comment:3 by Adrian Holovaty, 15 years ago

Ahhh, I've remembered why this "bug" happens -- it's because we require both the "Add user" and "Change user" permissions in order to add a user. See the comment I added in [9682] for an explanation.

comment:4 by Adrian Holovaty, 15 years ago

(In [9684]) Added some documentation explaining (1) that it's possible to add users via the Django admin site, and (2) that in order to be able to add users via the admin site, you need to have both 'add user' and 'change user' permissions. Refs #9866

comment:5 by Adrian Holovaty, 15 years ago

(In [9683]) Improved the auth admin site to raise Http404 with a helpful error message if DEBUG is True, explaining why permission isn't denied. Refs #9866, and see also [9682]

comment:6 by Adrian Holovaty, 15 years ago

Resolution: fixed
Status: newclosed

OK, I'm marking this as fixed, as it's actually intentional behavior, and I've now documented it and added a helpful error message if DEBUG is True. Thanks for calling it to our attention!

comment:7 by Adrian Holovaty, 15 years ago

(In [9685]) [1.0.X] Merged [9682], [9683] and [9684] from trunk. These were changes dealing with documenting and adding a helpful error message for the quirk of admin users needing 'change user' permission to add users. Refs #9866

comment:8 by (none), 15 years ago

milestone: post-1.0

Milestone post-1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top