Commit 62362c61 authored by Adrian Holovaty's avatar Adrian Holovaty
Browse files

Added comment to UserAdmin.add_view() explaining why we disallow users without... 

Added comment to UserAdmin.add_view() explaining why we disallow users without change permissions from adding other users. Refs #9866

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9682 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 9af56803

django/contrib/auth/admin.py

+6 −0
Original line number Diff line number Diff line
@@ -42,6 +42,12 @@ class UserAdmin(admin.ModelAdmin): 
        return super(UserAdmin, self).__call__(request, url)



    def add_view(self, request):

        # It's an error for a user to have add permission but NOT change

        # permission for users. If we allowed such users to add users, they

        # could create superusers, which would mean they would essentially have

        # the permission to change users. To avoid the problem entirely, we

        # disallow users from adding users if they don't have change

        # permission.

        if not self.has_change_permission(request):

            raise PermissionDenied

        if request.method == 'POST':