I would be pretty curious to see what they say about this. I've never thought about it.
Looks like you're no the first to notice this: http://stackoverflow.com/questions/2297377/how-do-i-prevent-permission-escalation-in-django-admin-when-granting-user-change We probably could make a custom UserChangeForm as they demonstrate. We already have one, actually. Still, I'd like to see this fixed upstream. Christian -- Christian Hammond - chip...@chipx86.com Review Board - http://www.reviewboard.org VMware, Inc. - http://www.vmware.com On Wed, Mar 10, 2010 at 1:11 PM, Matthew Woehlke < mw_tr...@users.sourceforge.net> wrote: > On 2010-03-10 15:07, Christian Hammond wrote: > >> Staff means you have the ability to create/delete/modify anything in the >> database that you have permissions for (by default, this is everything, I >> believe). Superuser means you have it no matter what permissions are set. >> You basically have every single permission automatically. >> >> This is a Django thing, and not controlled by Review Board in any way. It >> seems like something they should probably prevent. I think the proper >> thing >> to do, though, is to just not give staff members the ability to modify >> users >> by default. I see nothing in Django that prevents modifying this flag >> otherwise. >> > > Okay, thanks. Unfortunately that seems like it would defeat the goal of > staff being able to create users and reset passwords :-(. > > It seems rather counter-intuitive that the 'may modify users' and > 'superuser' flags are effectively synonymous. I guess I should bug Django > about it? > > > -- > Matthew > > -- > Want to help the Review Board project? Donate today at > http://www.reviewboard.org/donate/ > Happy user? Let us know at http://www.reviewboard.org/users/ > -~----------~----~----~----~------~----~------~--~--- > To unsubscribe from this group, send email to > reviewboard+unsubscr...@googlegroups.com<reviewboard%2bunsubscr...@googlegroups.com> > For more options, visit this group at > http://groups.google.com/group/reviewboard?hl=en > -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~----------~----~----~----~------~----~------~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en