[1.0.X] Merged [9682], [9683] and [9684] from trunk. These were changes dealing with documenting and adding a helpful error message for the quirk of admin users needing 'change user' permission to add users. Refs #9866
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.0.X@9685 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
3abbb455b2
commit
fd9ddb2dc1
|
@ -1,14 +1,14 @@
|
|||
|
||||
from django import template
|
||||
from django.conf import settings
|
||||
from django.contrib import admin
|
||||
from django.contrib.auth.forms import UserCreationForm, UserChangeForm, AdminPasswordChangeForm
|
||||
from django.contrib.auth.models import User, Group
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django import template
|
||||
from django.http import HttpResponseRedirect, Http404
|
||||
from django.shortcuts import render_to_response, get_object_or_404
|
||||
from django.template import RequestContext
|
||||
from django.utils.html import escape
|
||||
from django.http import HttpResponseRedirect
|
||||
from django.utils.translation import ugettext, ugettext_lazy as _
|
||||
from django.contrib.auth.forms import UserCreationForm, UserChangeForm, AdminPasswordChangeForm
|
||||
from django.contrib import admin
|
||||
|
||||
class GroupAdmin(admin.ModelAdmin):
|
||||
search_fields = ('name',)
|
||||
|
@ -42,7 +42,17 @@ class UserAdmin(admin.ModelAdmin):
|
|||
return super(UserAdmin, self).__call__(request, url)
|
||||
|
||||
def add_view(self, request):
|
||||
# It's an error for a user to have add permission but NOT change
|
||||
# permission for users. If we allowed such users to add users, they
|
||||
# could create superusers, which would mean they would essentially have
|
||||
# the permission to change users. To avoid the problem entirely, we
|
||||
# disallow users from adding users if they don't have change
|
||||
# permission.
|
||||
if not self.has_change_permission(request):
|
||||
if self.has_add_permission(request) and settings.DEBUG:
|
||||
# Raise Http404 in debug mode so that the user gets a helpful
|
||||
# error message.
|
||||
raise Http404('Your user does not have the "Change user" permission. In order to add users, Django requires that your user account have both the "Add user" and "Change user" permissions set.')
|
||||
raise PermissionDenied
|
||||
if request.method == 'POST':
|
||||
form = self.add_form(request.POST)
|
||||
|
|
|
@ -292,6 +292,21 @@ that comes with Django::
|
|||
>>> user.is_staff = True
|
||||
>>> user.save()
|
||||
|
||||
You can also create users using the Django admin site. Assuming you've enabled
|
||||
the admin site and hooked it to the URL ``/admin/``, the "Add user" page is at
|
||||
``/admin/auth/user/add/``. You should also see a link to "Users" in the "Auth"
|
||||
section of the main admin index page. The "Add user" admin page is different
|
||||
than standard admin pages in that it requires you to choose a username and
|
||||
password before allowing you to edit the rest of the user's fields.
|
||||
|
||||
Also note: if you want your own user account to be able to create users using
|
||||
the Django admin site, you'll need to give yourself permission to add users
|
||||
*and* change users (i.e., the "Add user" and "Change user" permissions). If
|
||||
your account has permission to add users but not to change them, you won't be
|
||||
able to add users. Why? Because if you have permission to add users, you have
|
||||
the power to create superusers, which can then, in turn, change other users. So
|
||||
Django requires add *and* change permissions as a slight security measure.
|
||||
|
||||
Changing passwords
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
|
Loading…
Reference in New Issue