Staff means you have the ability to create/delete/modify anything in the database that you have permissions for (by default, this is everything, I believe). Superuser means you have it no matter what permissions are set. You basically have every single permission automatically.
This is a Django thing, and not controlled by Review Board in any way. It seems like something they should probably prevent. I think the proper thing to do, though, is to just not give staff members the ability to modify users by default. I see nothing in Django that prevents modifying this flag otherwise. Christian -- Christian Hammond - chip...@chipx86.com Review Board - http://www.reviewboard.org VMware, Inc. - http://www.vmware.com On Wed, Mar 10, 2010 at 11:17 AM, Matthew Woehlke < mw_tr...@users.sourceforge.net> wrote: > I noticed something surprising today. Besides my RB "root" account, I have > my personal account set up with "staff" permissions (so I and others can > e.g. add users without using the superuser account), but apparently this > power includes the ability to make anyone superuser. Is there a permission > to prevent that? > > I'm using RB 1.0.5.1. > > -- > Matthew > > -- > Want to help the Review Board project? Donate today at > http://www.reviewboard.org/donate/ > Happy user? Let us know at http://www.reviewboard.org/users/ > -~----------~----~----~----~------~----~------~--~--- > To unsubscribe from this group, send email to > reviewboard+unsubscr...@googlegroups.com<reviewboard%2bunsubscr...@googlegroups.com> > For more options, visit this group at > http://groups.google.com/group/reviewboard?hl=en -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~----------~----~----~----~------~----~------~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en