Opened 17 years ago

Closed 15 years ago

#6977 closed (invalid)

should check has_add_permission(), not has_change_permission(), in user add view

Reported by: dfrishberg@… Owned by: Matthias Kestenholz
Component: contrib.auth Version: newforms-admin
Severity: Keywords: nfa-someday
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

django/contrib/auth/admin.py:UserAdmin:add_view(): The first thing that is done is to check whether the user has change permissions. This should be add permissions for the add view.

Attachments (1)

6977.patch (1.5 KB ) - added by Matthias Kestenholz 16 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 by Karen Tracey <kmtracey@…>, 17 years ago

Keywords: nfa-someday added

Looks to be the same check as is done for the old admin (see http://code.djangoproject.com/browser/django/trunk/django/contrib/admin/views/auth.py#L11). Since it doesn't seem to have been behavior introduced by nfa, should not block merge.

comment:2 by Karen Tracey <kmtracey@…>, 16 years ago

#7606 is a dup

comment:3 by Karen Tracey <kmtracey@…>, 16 years ago

Triage Stage: UnreviewedAccepted

comment:4 by Matthias Kestenholz, 16 years ago

Has patch: set
Owner: changed from nobody to Matthias Kestenholz
Status: newassigned

It's not as simple as just changing has_change_permission to has_add_permission. The place where the user should be redirected to has to be determined with has_change_permission (either continue editing the newly created user or redirect to the admin frontpage).

by Matthias Kestenholz, 16 years ago

Attachment: 6977.patch added

comment:5 by Matthias Kestenholz, 16 years ago

Component: UncategorizedAuthentication

comment:6 by Matthias Kestenholz, 15 years ago

Resolution: invalid
Status: assignedclosed

From django/contrib/auth/admin.py:

def add_view(self, request):

# It's an error for a user to have add permission but NOT change
# permission for users. If we allowed such users to add users, they
# could create superusers, which would mean they would essentially have
# the permission to change users. To avoid the problem entirely, we
# disallow users from adding users if they don't have change
# permission.

Note: See TracTickets for help on using tickets.
Back to Top