From 62362c61757acfd68201ad737db98108a0146151 Mon Sep 17 00:00:00 2001
From: Adrian Holovaty <adrian@holovaty.com>
Date: Thu, 25 Dec 2008 06:04:11 +0000
Subject: [PATCH] Added comment to UserAdmin.add_view() explaining why we
 disallow users without change permissions from adding other users. Refs #9866

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9682 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/contrib/auth/admin.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/django/contrib/auth/admin.py b/django/contrib/auth/admin.py
index 1e4c480fb9..598d72bcf2 100644
--- a/django/contrib/auth/admin.py
+++ b/django/contrib/auth/admin.py
@@ -42,6 +42,12 @@ class UserAdmin(admin.ModelAdmin):
         return super(UserAdmin, self).__call__(request, url)
 
     def add_view(self, request):
+        # It's an error for a user to have add permission but NOT change
+        # permission for users. If we allowed such users to add users, they
+        # could create superusers, which would mean they would essentially have
+        # the permission to change users. To avoid the problem entirely, we
+        # disallow users from adding users if they don't have change
+        # permission.
         if not self.has_change_permission(request):
             raise PermissionDenied
         if request.method == 'POST':