This is not a bug. It is how the permissions system works. So far as the Admin goes, it is model granular, not row granular or field granular, meaning that if you grant a user full access to the User object, as you did, they can do anything to that table, including change permission levels. The permissions system does not have the concept of a hierarchy of permissions.
Suggest you read the docs, and direct any questions to the users list: http://docs.djangoproject.com/en/dev/topics/auth/ On Sep 1, 2008, at 2:36 AM, Ca-Phun Ung wrote: > > Hi, > > I hit a problem with user permissions within the Django admin area. > The other day I gave a user add/edit/delete permissions to the user > object so that they could manage staff access on the websites. > However, in doing this that particular user is now able to create > other users with greater permissions than himself, even promoting > others to superuser status. Furthermore that user could also turn > himself super by editing his own profile. Is this a known problem? > Is there a way to work around it? Or is there a planned fix. I > running off SVN. > > Thanks. > > -- > > -- Ca-Phun Ung > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---