The following flaw was found in Django:
If a "ModelAdmin" uses "save_as=True" (not the default), the admin provides an option when editing objects to "Save as new". A regression in Django 1.9 prevented that form submission from raising a "Permission Denied" error for users without the "add" permission.
This issue affects upstream version 1.9 of Django; versions 1.8 and older are not affected.
Red Hat would like to thank the upstream Django project for reporting this issue.