Opened 17 years ago
Closed 15 years ago
#6977 closed (invalid)
should check has_add_permission(), not has_change_permission(), in user add view
Reported by: | Owned by: | Matthias Kestenholz | |
---|---|---|---|
Component: | contrib.auth | Version: | newforms-admin |
Severity: | Keywords: | nfa-someday | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
django/contrib/auth/admin.py:UserAdmin:add_view(): The first thing that is done is to check whether the user has change permissions. This should be add permissions for the add view.
Attachments (1)
Change History (7)
comment:1 by , 17 years ago
Keywords: | nfa-someday added |
---|
comment:3 by , 16 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:4 by , 16 years ago
Has patch: | set |
---|---|
Owner: | changed from | to
Status: | new → assigned |
It's not as simple as just changing has_change_permission to has_add_permission. The place where the user should be redirected to has to be determined with has_change_permission (either continue editing the newly created user or redirect to the admin frontpage).
by , 16 years ago
Attachment: | 6977.patch added |
---|
comment:5 by , 16 years ago
Component: | Uncategorized → Authentication |
---|
comment:6 by , 15 years ago
Resolution: | → invalid |
---|---|
Status: | assigned → closed |
From django/contrib/auth/admin.py:
def add_view(self, request):
# It's an error for a user to have add permission but NOT change
# permission for users. If we allowed such users to add users, they
# could create superusers, which would mean they would essentially have
# the permission to change users. To avoid the problem entirely, we
# disallow users from adding users if they don't have change
# permission.
Looks to be the same check as is done for the old admin (see http://code.djangoproject.com/browser/django/trunk/django/contrib/admin/views/auth.py#L11). Since it doesn't seem to have been behavior introduced by nfa, should not block merge.