Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Added comment to UserAdmin.add_view() explaining why we disallow user…

…s without change permissions from adding other users. Refs #9866

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9682 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 62362c61757acfd68201ad737db98108a0146151 1 parent 9af5680
@adrianholovaty adrianholovaty authored
Showing with 6 additions and 0 deletions.
  1. +6 −0 django/contrib/auth/admin.py
View
6 django/contrib/auth/admin.py
@@ -42,6 +42,12 @@ def __call__(self, request, url):
return super(UserAdmin, self).__call__(request, url)
def add_view(self, request):
+ # It's an error for a user to have add permission but NOT change
+ # permission for users. If we allowed such users to add users, they
+ # could create superusers, which would mean they would essentially have
+ # the permission to change users. To avoid the problem entirely, we
+ # disallow users from adding users if they don't have change
+ # permission.
if not self.has_change_permission(request):
raise PermissionDenied
if request.method == 'POST':
Please sign in to comment.
Something went wrong with that request. Please try again.