Author: adrian
Date: 2008-12-25 00:04:11 -0600 (Thu, 25 Dec 2008)
New Revision: 9682
Modified:
django/trunk/django/contrib/auth/admin.py
Log:
Added comment to UserAdmin.add_view() explaining why we disallow users without
change permissions from adding other users. Refs #9866
Modified: django/trunk/django/contrib/auth/admin.py
===================================================================
--- django/trunk/django/contrib/auth/admin.py 2008-12-23 18:28:22 UTC (rev
9681)
+++ django/trunk/django/contrib/auth/admin.py 2008-12-25 06:04:11 UTC (rev
9682)
@@ -42,6 +42,12 @@
return super(UserAdmin, self).__call__(request, url)
def add_view(self, request):
+ # It's an error for a user to have add permission but NOT change
+ # permission for users. If we allowed such users to add users, they
+ # could create superusers, which would mean they would essentially have
+ # the permission to change users. To avoid the problem entirely, we
+ # disallow users from adding users if they don't have change
+ # permission.
if not self.has_change_permission(request):
raise PermissionDenied
if request.method == 'POST':
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
