Added comment to UserAdmin.add_view() explaining why we disallow users without change permissions from adding other users. Refs #9866

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9682 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-25 06:04:11 +00:00 · 2008-12-25 06:04:11 +00:00 · 62362c6175
parent 9af56803f5
commit 62362c6175
1 changed files with 6 additions and 0 deletions
--- a/django/contrib/auth/admin.py
+++ b/django/contrib/auth/admin.py
@ -42,6 +42,12 @@ class UserAdmin(admin.ModelAdmin):
        return super(UserAdmin, self).__call__(request, url)

    def add_view(self, request):
+        # It's an error for a user to have add permission but NOT change
+        # permission for users. If we allowed such users to add users, they
+        # could create superusers, which would mean they would essentially have
+        # the permission to change users. To avoid the problem entirely, we
+        # disallow users from adding users if they don't have change
+        # permission.
        if not self.has_change_permission(request):
            raise PermissionDenied
        if request.method == 'POST':