#7150: patch to implement view pemission in admin
------------------------------------------------------------+---------------
Reporter: Antonio Gallo <[email protected]> | Owner:
nobody
Status: closed | Milestone:
Component: django.contrib.admin | Version:
1.0
Resolution: duplicate | Keywords:
admin permissions
Stage: Unreviewed | Has_patch: 1
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 0 |
------------------------------------------------------------+---------------
Comment (by cmwslw):
I'd like to support this change. In sites with user-generated content,
employees often need to monitor how the site is being used, just as a
server administrator checks the logs. People answering user questions and
email often need to view a user's data to respond to questions or problems
they have with the site. If an error occurred, developers need to
investigate the data that caused the error in order to debug it. As of
now, these users need to be granted 'add' permissions just to be able to
view the content. It's a security risk to enable add permissions to all of
their accounts because if one of the accounts is hacked, an attacker could
seriously mess up the site. They would be able to add accounts without
being activated. The attacker could create blog posts filled with spam.
Furthermore, they could bring down parts of the site by causing
MultipleObjectsReturned errors. The more secure way would be to create
administration accounts with only view permissions. Then there would only
have to be one other account with more permissions, the superuser.
I realize that the Django developers want to keep the admin site for
administrators only, but it's important to realize that being able to view
the site's data is a huge part of administering a web site. Just because
it's a view permission doesn't mean that all users will have it and the
admin site will be public facing. This may not be an issue for sites with
tightly controlled content such as a news site or blog. Django, however,
is increasingly being used for sites with other models, and it is
important to take this into consideration.
--
Ticket URL: <http://code.djangoproject.com/ticket/7150#comment:11>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
