Staff means you have the ability to create/delete/modify anything in the
database that you have permissions for (by default, this is everything, I
believe). Superuser means you have it no matter what permissions are set.
You basically have every single permission automatically.

This is a Django thing, and not controlled by Review Board in any way. It
seems like something they should probably prevent. I think the proper thing
to do, though, is to just not give staff members the ability to modify users
by default. I see nothing in Django that prevents modifying this flag
otherwise.

Christian

-- 
Christian Hammond - chip...@chipx86.com
Review Board - http://www.reviewboard.org
VMware, Inc. - http://www.vmware.com


On Wed, Mar 10, 2010 at 11:17 AM, Matthew Woehlke <
mw_tr...@users.sourceforge.net> wrote:

> I noticed something surprising today. Besides my RB "root" account, I have
> my personal account set up with "staff" permissions (so I and others can
> e.g. add users without using the superuser account), but apparently this
> power includes the ability to make anyone superuser. Is there a permission
> to prevent that?
>
> I'm using RB 1.0.5.1.
>
> --
> Matthew
>
> --
> Want to help the Review Board project? Donate today at
> http://www.reviewboard.org/donate/
> Happy user? Let us know at http://www.reviewboard.org/users/
> -~----------~----~----~----~------~----~------~--~---
> To unsubscribe from this group, send email to
> reviewboard+unsubscr...@googlegroups.com<reviewboard%2bunsubscr...@googlegroups.com>
> For more options, visit this group at
> http://groups.google.com/group/reviewboard?hl=en

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~----------~----~----~----~------~----~------~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Reply via email to