Non-superuser visiting /users needs some informative message.
Once a new user is created but inactive, they're redirected to the login page. We treat non-active users as not authenticated, which might be confusing for someone creating an account. On the other hand if we were to treat them as authenticated but inactive we need to protect every route with a check for whether or not the user is active.
A couple issues with the new user flow: