I would be pretty curious to see what they say about this. I've never
thought about it.

Looks like you're no the first to notice this:

http://stackoverflow.com/questions/2297377/how-do-i-prevent-permission-escalation-in-django-admin-when-granting-user-change

We probably could make a custom UserChangeForm as they demonstrate. We
already have one, actually. Still, I'd like to see this fixed upstream.

Christian


-- 
Christian Hammond - chip...@chipx86.com
Review Board - http://www.reviewboard.org
VMware, Inc. - http://www.vmware.com


On Wed, Mar 10, 2010 at 1:11 PM, Matthew Woehlke <
mw_tr...@users.sourceforge.net> wrote:

> On 2010-03-10 15:07, Christian Hammond wrote:
>
>> Staff means you have the ability to create/delete/modify anything in the
>> database that you have permissions for (by default, this is everything, I
>> believe). Superuser means you have it no matter what permissions are set.
>> You basically have every single permission automatically.
>>
>> This is a Django thing, and not controlled by Review Board in any way. It
>> seems like something they should probably prevent. I think the proper
>> thing
>> to do, though, is to just not give staff members the ability to modify
>> users
>> by default. I see nothing in Django that prevents modifying this flag
>> otherwise.
>>
>
> Okay, thanks. Unfortunately that seems like it would defeat the goal of
> staff being able to create users and reset passwords :-(.
>
> It seems rather counter-intuitive that the 'may modify users' and
> 'superuser' flags are effectively synonymous. I guess I should bug Django
> about it?
>
>
> --
> Matthew
>
> --
> Want to help the Review Board project? Donate today at
> http://www.reviewboard.org/donate/
> Happy user? Let us know at http://www.reviewboard.org/users/
> -~----------~----~----~----~------~----~------~--~---
> To unsubscribe from this group, send email to
> reviewboard+unsubscr...@googlegroups.com<reviewboard%2bunsubscr...@googlegroups.com>
> For more options, visit this group at
> http://groups.google.com/group/reviewboard?hl=en
>

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~----------~----~----~----~------~----~------~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Reply via email to