Re: [Django] #9866: 403 Permission denied on trying to add user

2008-12-24 Thread Django 
#9866: 403 Permission denied on trying to add user
---+
  Reporter:  a-m-...@hotmail.com   | Owner:  nobody 
Status:  closed| Milestone:  post-1.0   
 Component:  django.contrib.admin  |   Version:  1.0
Resolution:  fixed |  Keywords:  admin, add user
 Stage:  Accepted  | Has_patch:  0  
Needs_docs:  0 |   Needs_tests:  0  
Needs_better_patch:  0 |  
---+
Changes (by adrian):

  * status:  new => closed
  * resolution:  => fixed

Comment:

 OK, I'm marking this as fixed, as it's actually intentional behavior, and
 I've now documented it and added a helpful error message if {{{DEBUG}}} is
 {{{True}}}. Thanks for calling it to our attention!

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9866: 403 Permission denied on trying to add user

2008-12-24 Thread Django 
#9866: 403 Permission denied on trying to add user
---+
  Reporter:  a-m-...@hotmail.com   | Owner:  nobody 
Status:  new   | Milestone:  post-1.0   
 Component:  django.contrib.admin  |   Version:  1.0
Resolution:|  Keywords:  admin, add user
 Stage:  Accepted  | Has_patch:  0  
Needs_docs:  0 |   Needs_tests:  0  
Needs_better_patch:  0 |  
---+
Comment (by adrian):

 (In [9683]) Improved the auth admin site to raise Http404 with a helpful
 error message if DEBUG is True, explaining why permission isn't denied.
 Refs #9866, and see also [9682]

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

[Changeset] r9684 - django/trunk/docs/topics

2008-12-24 Thread noreply 

Author: adrian
Date: 2008-12-25 00:19:14 -0600 (Thu, 25 Dec 2008)
New Revision: 9684

Modified:
   django/trunk/docs/topics/auth.txt
Log:
Added some documentation explaining (1) that it's possible to add users via the 
Django admin site, and (2) that in order to be able to add users via the admin 
site, you need to have both 'add user' and 'change user' permissions. Refs #9866

Modified: django/trunk/docs/topics/auth.txt
===
--- django/trunk/docs/topics/auth.txt   2008-12-25 06:17:42 UTC (rev 9683)
+++ django/trunk/docs/topics/auth.txt   2008-12-25 06:19:14 UTC (rev 9684)
@@ -292,6 +292,21 @@
 >>> user.is_staff = True
 >>> user.save()
 
+You can also create users using the Django admin site. Assuming you've enabled
+the admin site and hooked it to the URL ``/admin/``, the "Add user" page is at
+``/admin/auth/user/add/``. You should also see a link to "Users" in the "Auth"
+section of the main admin index page. The "Add user" admin page is different
+than standard admin pages in that it requires you to choose a username and
+password before allowing you to edit the rest of the user's fields.
+
+Also note: if you want your own user account to be able to create users using
+the Django admin site, you'll need to give yourself permission to add users
+*and* change users (i.e., the "Add user" and "Change user" permissions). If
+your account has permission to add users but not to change them, you won't be
+able to add users. Why? Because if you have permission to add users, you have
+the power to create superusers, which can then, in turn, change other users. So
+Django requires add *and* change permissions as a slight security measure.
+
 Changing passwords
 ~~
 


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

[Changeset] r9683 - django/trunk/django/contrib/auth

2008-12-24 Thread noreply 

Author: adrian
Date: 2008-12-25 00:17:42 -0600 (Thu, 25 Dec 2008)
New Revision: 9683

Modified:
   django/trunk/django/contrib/auth/admin.py
Log:
Improved the auth admin site to raise Http404 with a helpful error message if 
DEBUG is True, explaining why permission isn't denied. Refs #9866, and see also 
[9682]

Modified: django/trunk/django/contrib/auth/admin.py
===
--- django/trunk/django/contrib/auth/admin.py   2008-12-25 06:04:11 UTC (rev 
9682)
+++ django/trunk/django/contrib/auth/admin.py   2008-12-25 06:17:42 UTC (rev 
9683)
@@ -1,14 +1,14 @@
-
+from django import template
+from django.conf import settings
+from django.contrib import admin
+from django.contrib.auth.forms import UserCreationForm, UserChangeForm, 
AdminPasswordChangeForm
 from django.contrib.auth.models import User, Group
 from django.core.exceptions import PermissionDenied
-from django import template
+from django.http import HttpResponseRedirect, Http404
 from django.shortcuts import render_to_response, get_object_or_404
 from django.template import RequestContext
 from django.utils.html import escape
-from django.http import HttpResponseRedirect
 from django.utils.translation import ugettext, ugettext_lazy as _
-from django.contrib.auth.forms import UserCreationForm, UserChangeForm, 
AdminPasswordChangeForm
-from django.contrib import admin
 
 class GroupAdmin(admin.ModelAdmin):
 search_fields = ('name',)
@@ -49,6 +49,10 @@
 # disallow users from adding users if they don't have change
 # permission.
 if not self.has_change_permission(request):
+if self.has_add_permission(request) and settings.DEBUG:
+# Raise Http404 in debug mode so that the user gets a helpful
+# error message.
+raise Http404('Your user does not have the "Change user" 
permission. In order to add users, Django requires that your user account have 
both the "Add user" and "Change user" permissions set.')
 raise PermissionDenied
 if request.method == 'POST':
 form = self.add_form(request.POST)


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9866: 403 Permission denied on trying to add user

2008-12-24 Thread Django 
#9866: 403 Permission denied on trying to add user
---+
  Reporter:  a-m-...@hotmail.com   | Owner:  nobody 
Status:  new   | Milestone:  post-1.0   
 Component:  django.contrib.admin  |   Version:  1.0
Resolution:|  Keywords:  admin, add user
 Stage:  Accepted  | Has_patch:  0  
Needs_docs:  0 |   Needs_tests:  0  
Needs_better_patch:  0 |  
---+
Comment (by adrian):

 Ahhh, I've remembered why this "bug" happens -- it's because we require
 both the "Add user" and "Change user" permissions in order to add a user.
 See the comment I added in [9682] for an explanation.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

[Changeset] r9682 - django/trunk/django/contrib/auth

2008-12-24 Thread noreply 

Author: adrian
Date: 2008-12-25 00:04:11 -0600 (Thu, 25 Dec 2008)
New Revision: 9682

Modified:
   django/trunk/django/contrib/auth/admin.py
Log:
Added comment to UserAdmin.add_view() explaining why we disallow users without 
change permissions from adding other users. Refs #9866

Modified: django/trunk/django/contrib/auth/admin.py
===
--- django/trunk/django/contrib/auth/admin.py   2008-12-23 18:28:22 UTC (rev 
9681)
+++ django/trunk/django/contrib/auth/admin.py   2008-12-25 06:04:11 UTC (rev 
9682)
@@ -42,6 +42,12 @@
 return super(UserAdmin, self).__call__(request, url)
 
 def add_view(self, request):
+# It's an error for a user to have add permission but NOT change
+# permission for users. If we allowed such users to add users, they
+# could create superusers, which would mean they would essentially have
+# the permission to change users. To avoid the problem entirely, we
+# disallow users from adding users if they don't have change
+# permission.
 if not self.has_change_permission(request):
 raise PermissionDenied
 if request.method == 'POST':


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9866: 403 Permission denied on trying to add user

2008-12-24 Thread Django 
#9866: 403 Permission denied on trying to add user
---+
  Reporter:  a-m-...@hotmail.com   | Owner:  nobody 
Status:  new   | Milestone:  post-1.0   
 Component:  django.contrib.admin  |   Version:  1.0
Resolution:|  Keywords:  admin, add user
 Stage:  Accepted  | Has_patch:  0  
Needs_docs:  0 |   Needs_tests:  0  
Needs_better_patch:  0 |  
---+
Changes (by adrian):

  * needs_better_patch:  => 0
  * stage:  Unreviewed => Accepted
  * component:  Authentication => django.contrib.admin
  * needs_tests:  => 0
  * needs_docs:  => 0

Comment:

 I've confirmed the bug. To reproduce:

  * Create an admin user whose only permission is to add users.
  * Log in to the admin as that user.
  * Click "Add user".
  * You get a "Permission denied" page, which I believe is the result of
 the {{{PermissionDenied}}} exception.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

[Django] #9910: Allow to change db_table for django contrib apps

2008-12-24 Thread Django 
#9910: Allow to change db_table for django contrib apps
--+-
 Reporter:  zlw   |   Owner:  nobody
   Status:  new   |   Milestone:
Component:  Contrib apps  | Version:  1.0   
 Keywords:  db_table, table name  |   Stage:  Unreviewed
Has_patch:  0 |  
--+-
 I think that Django should allow to change table name for django apps
 (auth, contenttype etc.). It's not hard to implement, but it can help some
 people (including me). I've already changed some files
 (django/contrib/auth/backends.py) and added new one (change_db_table.py in
 project folder). It woks now, but i don't want to change it all of the
 time when new Django release will come. My changes -
 http://pastie.org/346481

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9909: spam

2008-12-24 Thread Django 
#9909: spam
+---
  Reporter: | Owner:  nobody  
Status:  closed | Milestone:  post-1.0
 Component:  Uncategorized  |   Version:  1.0 
Resolution:  invalid|  Keywords:  
 Stage:  Unreviewed | Has_patch:  0   
Needs_docs:  0  |   Needs_tests:  0   
Needs_better_patch:  0  |  
+---
Changes (by Alex):

  * status:  new => closed
  * reporter:  anonymous =>
 * cc: TCDzliGAKMBMTASLm (removed)
  * needs_better_patch:  => 0
  * needs_tests:  => 0
  * summary:  IQwuHObgCnzb => spam
  * keywords:  fSYYAUfdfJ =>
  * needs_docs:  => 0
  * resolution:  => invalid

Old description:

> 9tYby0  http://grgkabyckkgj.com/;>grgkabyckkgj,
> [url=http://lvpxnbhczykz.com/]lvpxnbhczykz[/url],
> [link=http://nisrbaporsjf.com/]nisrbaporsjf[/link],
> http://wbokeclacdvn.com/

New description:

 spam

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

[Django] #9909: IQwuHObgCnzb

2008-12-24 Thread Django 
#9909: IQwuHObgCnzb
---+
 Reporter:  anonymous  |   Owner:  nobody
   Status:  new|   Milestone:  post-1.0  
Component:  Uncategorized  | Version:  1.0   
 Keywords:  fSYYAUfdfJ |   Stage:  Unreviewed
Has_patch:  0  |  
---+
 9tYby0  http://grgkabyckkgj.com/;>grgkabyckkgj,
 [url=http://lvpxnbhczykz.com/]lvpxnbhczykz[/url],
 [link=http://nisrbaporsjf.com/]nisrbaporsjf[/link],
 http://wbokeclacdvn.com/

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #8245: Exceptions in admin.py can get hidden by an AlreadyRegistered exception

2008-12-24 Thread Django 
#8245: Exceptions in admin.py can get hidden by an AlreadyRegistered exception
---+
  Reporter:  jarrow| Owner:  nobody  
Status:  closed| Milestone:  post-1.0
 Component:  django.contrib.admin  |   Version:  SVN 
Resolution:  fixed |  Keywords:  
 Stage:  Accepted  | Has_patch:  1   
Needs_docs:  0 |   Needs_tests:  0   
Needs_better_patch:  0 |  
---+
Comment (by jarrow):

 Cool, thanks for the fix. I think this solution has some drawbacks though:

  - You only see the real exception on the first request
  - All the stuff getting executed behind the exception in the admin.py
 file is missing (which could cause other exceptions in turn)
  - To get the real exception back __and__ to execute the stuff behind the
 source the exception one has to restart the server (even the development
 one)

 The previous patch (though admittedly not that pretty) didn't have these
 issues. Was this the intended behaviour?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #6362: Remove blank spaces with strip when validating the data

2008-12-24 Thread Django 
#6362: Remove blank spaces with strip when validating the data
-+--
  Reporter:  marinho | Owner:  nobody   
Status:  new | Milestone:   
 Component:  Forms   |   Version:  SVN  
Resolution:  |  Keywords:  blank space strip
 Stage:  Design decision needed  | Has_patch:  1
Needs_docs:  0   |   Needs_tests:  0
Needs_better_patch:  0   |  
-+--
Comment (by dc):

 -1 for the normalize(). It's overkill for simple stripping. And for
 complicated normalization better normalize data in form.clean_FIELD() or
 write own field subclass with specialized clean() method.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9908: Allow individual app_index templates for different apps

2008-12-24 Thread Django 
#9908: Allow individual app_index templates for different apps
---+
  Reporter:  arne  | Owner:  jezdez   
Status:  assigned  | Milestone:   
 Component:  django.contrib.admin  |   Version:  SVN  
Resolution:|  Keywords:  app_index
 Stage:  Unreviewed| Has_patch:  1
Needs_docs:  1 |   Needs_tests:  0
Needs_better_patch:  0 |  
---+
Changes (by jezdez):

  * owner:  nobody => jezdez
  * needs_better_patch:  => 0
  * status:  new => assigned
  * needs_tests:  => 0
  * needs_docs:  => 1

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

[Django] #9908: Allow individual app_index templates for different apps

2008-12-24 Thread Django 
#9908: Allow individual app_index templates for different apps
--+-
 Reporter:  arne  |   Owner:  nobody
   Status:  new   |   Milestone:
Component:  django.contrib.admin  | Version:  SVN   
 Keywords:  app_index |   Stage:  Unreviewed
Has_patch:  1 |  
--+-
 django.contrib.admin allows customization of individual change_list or
 change_form templates by using a list of templates in the form of (example
 from render_change_form method):
 {{{
 self.change_form_template or [
 "admin/%s/%s/change_form.html" % (app_label,
 opts.object_name.lower()),
 "admin/%s/change_form.html" % app_label,
 "admin/change_form.html"
 ]
 }}}

 This mechanism does not work for the app_index template but could easily
 be implmented. I've attached a diff, which allows placing templates at
 'admin//app_index.html' for individual apps, while still
 allowing global customization by setting the app_index_template class
 attribute and still falling back to 'admin/app_index.html'

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---