Django, creating user with add user permission

Question

I have gone through a strange behavior while creating a user, using Django admin interface. I have to create a user which can add other users, but for that Django requires two permissions i.e. add user and change user. But when I gave user the change permission, its even able to change the superuser of the site.

What I want is to create a user which can only create other users.

Please suggest.

Thanks in advance.

possible duplicate of [How do I prevent permission escalation in Django admin when granting "user change" permission?](http://stackoverflow.com/questions/2297377/how-do-i-prevent-permission-escalation-in-django-admin-when-granting-user-change) — viam0Zah, Jun 24 '10 at 11:31
yes, seems it should work..will give it a try. Thanks a lot. Also, is there any document where we can get the information like which method should be overridden for which functionality and what parameters should be changed. Like in this case we are overriding change_view method for the field_set paramater? — Ankit Jaiswal, Jun 24 '10 at 11:47
most of the methods that you can override are in django/contrib/admin/options.py — Peter Long, Jun 02 '11 at 02:28

score 0 · Answer 1 · answered Jun 24 '10 at 11:18

This isn't supported by default in Django. You could subclass the normal UserAdmin and make your own, that disables the "superuser"-checkbox for non-superusers:

from django.contrib.auth.admin import UserAdmin
from django.contrib.auth.models import User
from django.contrib import admin

class MyUserAdmin(UserAdmin):

    def formfield_for_dbfield(self, db_field, **kwargs):
        field = super(MyUserAdmin, self).formfield_for_dbfield(db_field, **kwargs)
        user = kwargs['request'].user
        if not user.is_superuser:
            if db_field.name == 'is_superuser':
                field.widget.attrs = {'disabled': 'disabled'}
        return field

admin.site.unregister(User)
admin.site.register(User, MyUserAdmin)

Right, this will only disable widgets but id does not guarantee that user can't change this object. You have to override `save()` and make necessary verification there. — Vladimir Prudnikov, Jul 31 '13 at 01:37

Django, creating user with add user permission

1 Answers1