Browse files

Added comment to UserAdmin.add_view() explaining why we disallow user…

…s without change permissions from adding other users. Refs #9866

git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
1 parent 9af5680 commit 62362c61757acfd68201ad737db98108a0146151 @adrianholovaty adrianholovaty committed Dec 25, 2008
Showing with 6 additions and 0 deletions.
  1. +6 −0 django/contrib/auth/
@@ -42,6 +42,12 @@ def __call__(self, request, url):
return super(UserAdmin, self).__call__(request, url)
def add_view(self, request):
+ # It's an error for a user to have add permission but NOT change
+ # permission for users. If we allowed such users to add users, they
+ # could create superusers, which would mean they would essentially have
+ # the permission to change users. To avoid the problem entirely, we
+ # disallow users from adding users if they don't have change
+ # permission.
if not self.has_change_permission(request):
raise PermissionDenied
if request.method == 'POST':

0 comments on commit 62362c6

Please sign in to comment.