Re: More controls on createsuperuser

[Joel Mathew]

It's not the command that you should be worried about, but shell access to
your system. If your database server is secure, shell access is restricted,
and the server is also hardened reasonably, you should be relatively safe.
Sincerely yours,

 Joel G Mathew



On Tue, 30 Apr 2019 at 21:07, Mario R. Osorio  wrote:

> You'd only need editing the already existing management command and remove
> the possibility of using createsuperuser, but that is as useless as a
> ceiling fan on a motor bike.as anyone that already has access to the
> management code could just revert those changes. even continuing this
> thread is a waste of time.
>
> Dtb/Gby
> ===
> Mario R. Osorio
> B.A.S. of Information Technology
> Web page: *http;//mario.osorio.solutions
> *
> Email: *mario@osorio.solutions* 
> *Just Choose Python!* 
>
> *SQL programmers don't die, they just ROLLBACK the TRANSACTION.*
>
>
>
> On Tue, Apr 30, 2019 at 11:12 AM Chetan Ganji 
> wrote:
>
>> RE :"*someone could still run createsuperuser *"
>>
>> How do you suppose this is going to happen unless they have access to
>> your system?
>>
>> If you are really concerned about that?? django is basically a package.
>> Just find the source code for the creatsuperuser admin command and delete
>> that file if its the only command in that file ;-)
>> if not just delete that function only :) Its that simple.
>>
>> But How will you create a superuser after deleting the command from the
>> django package??
>>
>> One way to solve is write your own custom management command, create
>> superuser at the time of deployment and delete that custom command also.
>>
>> I hope this solves your problemo :)
>> Cheers!
>>
>>
>> Regards,
>> Chetan Ganji
>> +91-900-483-4183
>> ganji.che...@gmail.com
>> http://ryucoder.in
>>
>>
>> On Tue, Apr 30, 2019 at 6:09 PM Lipika Chandel 
>> wrote:
>>
>>> Hey,
>>> I am using Django 2.2 and I am stuck with the image upload functionality
>>> from admin site. I am not able to get the image on my template.
>>> Please help.
>>>
>>> Thanks & Regards
>>> LIPIKA CHANDEL
>>>
>>> On Tue, Apr 30, 2019 at 11:57 AM Jani Tiainen  wrote:
>>>
 I've have to agree that any attempt to limit superuser creation through
 manage.py is wrong solution to wrong problem.

 Even it's possible to attempt it it is as easy to circumvent.

 So do not give an access to manage.py to users that are not supposed
 to. Problem solved for good.

 ma 29. huhtik. 2019 klo 21.04  kirjoitti:

> Anyone capable of running the createsuperuser command on your project
> most probably has access to all and any of the project's files, specially
> your config file.
>
> Actually this user is either a valid su or you are in serious trouble
> because the security of your server sucks or you gave access to your
> project to the wrong person.
>
> So, no I don't think there is any point in doing so. Not because it
> can't be done but because it is both trivially useless.and uselessly
> trivial.
>
>
>
> On Sunday, April 28, 2019 at 11:24:57 PM UTC-4, JJ Zolper wrote:
>>
>> All,
>>
>> Curious what people think about more thought and control going into
>> who can run the createsuperuser method?
>>
>> For example say there's models that I don't want anyone to touch
>> except myself as a superuser. Is it not plausible that even if I make a
>> Django Group around that model that someone could still run 
>> createsuperuser
>> and give themselves the ability to have full control?
>>
>> Wouldn't it make sense if some random developer were to run
>> createsuperuser using django settings with any of the databases (as an
>> example) that it prevent them if say that email isn't on say an internal
>> list in the django admin of approved potential users?
>>
>> I see something like this being a good idea to prevent just anyone
>> from getting full control over the site without it being specifically
>> provided.
>>
>> Maybe there's something I'm missing something but been reading about
>> third party options and more about what's there and I just feel there's a
>> hole when it comes to who can create a super user account. Obviously you
>> could have a script that you run to initialize who is a super user, what
>> the groups are etc, but then you're basically recording personal
>> information somewhere when that should only be typed in.
>>
>> Open to ideas and thoughts, mostly just curious what could be a good
>> answer.
>>
>> Best,
>>
>> JJ
>>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users+unsubscr...@googlegroups.com.

Re: More controls on createsuperuser

[Mario R. Osorio]

You'd only need editing the already existing management command and remove
the possibility of using createsuperuser, but that is as useless as a
ceiling fan on a motor bike.as anyone that already has access to the
management code could just revert those changes. even continuing this
thread is a waste of time.

Dtb/Gby
===
Mario R. Osorio
B.A.S. of Information Technology
Web page: *http;//mario.osorio.solutions
*
Email: *mario@osorio.solutions* 
*Just Choose Python!* 

*SQL programmers don't die, they just ROLLBACK the TRANSACTION.*



On Tue, Apr 30, 2019 at 11:12 AM Chetan Ganji 
wrote:

> RE :"*someone could still run createsuperuser *"
>
> How do you suppose this is going to happen unless they have access to your
> system?
>
> If you are really concerned about that?? django is basically a package.
> Just find the source code for the creatsuperuser admin command and delete
> that file if its the only command in that file ;-)
> if not just delete that function only :) Its that simple.
>
> But How will you create a superuser after deleting the command from the
> django package??
>
> One way to solve is write your own custom management command, create
> superuser at the time of deployment and delete that custom command also.
>
> I hope this solves your problemo :)
> Cheers!
>
>
> Regards,
> Chetan Ganji
> +91-900-483-4183
> ganji.che...@gmail.com
> http://ryucoder.in
>
>
> On Tue, Apr 30, 2019 at 6:09 PM Lipika Chandel 
> wrote:
>
>> Hey,
>> I am using Django 2.2 and I am stuck with the image upload functionality
>> from admin site. I am not able to get the image on my template.
>> Please help.
>>
>> Thanks & Regards
>> LIPIKA CHANDEL
>>
>> On Tue, Apr 30, 2019 at 11:57 AM Jani Tiainen  wrote:
>>
>>> I've have to agree that any attempt to limit superuser creation through
>>> manage.py is wrong solution to wrong problem.
>>>
>>> Even it's possible to attempt it it is as easy to circumvent.
>>>
>>> So do not give an access to manage.py to users that are not supposed to.
>>> Problem solved for good.
>>>
>>> ma 29. huhtik. 2019 klo 21.04  kirjoitti:
>>>
 Anyone capable of running the createsuperuser command on your project
 most probably has access to all and any of the project's files, specially
 your config file.

 Actually this user is either a valid su or you are in serious trouble
 because the security of your server sucks or you gave access to your
 project to the wrong person.

 So, no I don't think there is any point in doing so. Not because it
 can't be done but because it is both trivially useless.and uselessly
 trivial.



 On Sunday, April 28, 2019 at 11:24:57 PM UTC-4, JJ Zolper wrote:
>
> All,
>
> Curious what people think about more thought and control going into
> who can run the createsuperuser method?
>
> For example say there's models that I don't want anyone to touch
> except myself as a superuser. Is it not plausible that even if I make a
> Django Group around that model that someone could still run 
> createsuperuser
> and give themselves the ability to have full control?
>
> Wouldn't it make sense if some random developer were to run
> createsuperuser using django settings with any of the databases (as an
> example) that it prevent them if say that email isn't on say an internal
> list in the django admin of approved potential users?
>
> I see something like this being a good idea to prevent just anyone
> from getting full control over the site without it being specifically
> provided.
>
> Maybe there's something I'm missing something but been reading about
> third party options and more about what's there and I just feel there's a
> hole when it comes to who can create a super user account. Obviously you
> could have a script that you run to initialize who is a super user, what
> the groups are etc, but then you're basically recording personal
> information somewhere when that should only be typed in.
>
> Open to ideas and thoughts, mostly just curious what could be a good
> answer.
>
> Best,
>
> JJ
>
 --
 You received this message because you are subscribed to the Google
 Groups "Django users" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to django-users+unsubscr...@googlegroups.com.
 To post to this group, send email to django-users@googlegroups.com.
 Visit this group at https://groups.google.com/group/django-users.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/django-users/f85e2d9b-ec2d-4814-b4d5-df137bf8a883%40googlegroups.com
 
 .
 For m

Re: More controls on createsuperuser

[Chetan Ganji]

RE :"*someone could still run createsuperuser *"

How do you suppose this is going to happen unless they have access to your
system?

If you are really concerned about that?? django is basically a package.
Just find the source code for the creatsuperuser admin command and delete
that file if its the only command in that file ;-)
if not just delete that function only :) Its that simple.

But How will you create a superuser after deleting the command from the
django package??

One way to solve is write your own custom management command, create
superuser at the time of deployment and delete that custom command also.

I hope this solves your problemo :)
Cheers!


Regards,
Chetan Ganji
+91-900-483-4183
ganji.che...@gmail.com
http://ryucoder.in


On Tue, Apr 30, 2019 at 6:09 PM Lipika Chandel 
wrote:

> Hey,
> I am using Django 2.2 and I am stuck with the image upload functionality
> from admin site. I am not able to get the image on my template.
> Please help.
>
> Thanks & Regards
> LIPIKA CHANDEL
>
> On Tue, Apr 30, 2019 at 11:57 AM Jani Tiainen  wrote:
>
>> I've have to agree that any attempt to limit superuser creation through
>> manage.py is wrong solution to wrong problem.
>>
>> Even it's possible to attempt it it is as easy to circumvent.
>>
>> So do not give an access to manage.py to users that are not supposed to.
>> Problem solved for good.
>>
>> ma 29. huhtik. 2019 klo 21.04  kirjoitti:
>>
>>> Anyone capable of running the createsuperuser command on your project
>>> most probably has access to all and any of the project's files, specially
>>> your config file.
>>>
>>> Actually this user is either a valid su or you are in serious trouble
>>> because the security of your server sucks or you gave access to your
>>> project to the wrong person.
>>>
>>> So, no I don't think there is any point in doing so. Not because it
>>> can't be done but because it is both trivially useless.and uselessly
>>> trivial.
>>>
>>>
>>>
>>> On Sunday, April 28, 2019 at 11:24:57 PM UTC-4, JJ Zolper wrote:

 All,

 Curious what people think about more thought and control going into who
 can run the createsuperuser method?

 For example say there's models that I don't want anyone to touch except
 myself as a superuser. Is it not plausible that even if I make a Django
 Group around that model that someone could still run createsuperuser and
 give themselves the ability to have full control?

 Wouldn't it make sense if some random developer were to run
 createsuperuser using django settings with any of the databases (as an
 example) that it prevent them if say that email isn't on say an internal
 list in the django admin of approved potential users?

 I see something like this being a good idea to prevent just anyone from
 getting full control over the site without it being specifically provided.

 Maybe there's something I'm missing something but been reading about
 third party options and more about what's there and I just feel there's a
 hole when it comes to who can create a super user account. Obviously you
 could have a script that you run to initialize who is a super user, what
 the groups are etc, but then you're basically recording personal
 information somewhere when that should only be typed in.

 Open to ideas and thoughts, mostly just curious what could be a good
 answer.

 Best,

 JJ

>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django-users+unsubscr...@googlegroups.com.
>>> To post to this group, send email to django-users@googlegroups.com.
>>> Visit this group at https://groups.google.com/group/django-users.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/django-users/f85e2d9b-ec2d-4814-b4d5-df137bf8a883%40googlegroups.com
>>> 
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to django-users@googlegroups.com.
>> Visit this group at https://groups.google.com/group/django-users.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/CAHn91oeeEhnsdrWfur0pV-%2B-BGU_mT70fbbmc7qFM1SwB3Df%2Bg%40mail.gmail.com
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.

Re: More controls on createsuperuser

[Lipika Chandel]

Hey,
I am using Django 2.2 and I am stuck with the image upload functionality
from admin site. I am not able to get the image on my template.
Please help.

Thanks & Regards
LIPIKA CHANDEL

On Tue, Apr 30, 2019 at 11:57 AM Jani Tiainen  wrote:

> I've have to agree that any attempt to limit superuser creation through
> manage.py is wrong solution to wrong problem.
>
> Even it's possible to attempt it it is as easy to circumvent.
>
> So do not give an access to manage.py to users that are not supposed to.
> Problem solved for good.
>
> ma 29. huhtik. 2019 klo 21.04  kirjoitti:
>
>> Anyone capable of running the createsuperuser command on your project
>> most probably has access to all and any of the project's files, specially
>> your config file.
>>
>> Actually this user is either a valid su or you are in serious trouble
>> because the security of your server sucks or you gave access to your
>> project to the wrong person.
>>
>> So, no I don't think there is any point in doing so. Not because it can't
>> be done but because it is both trivially useless.and uselessly trivial.
>>
>>
>>
>> On Sunday, April 28, 2019 at 11:24:57 PM UTC-4, JJ Zolper wrote:
>>>
>>> All,
>>>
>>> Curious what people think about more thought and control going into who
>>> can run the createsuperuser method?
>>>
>>> For example say there's models that I don't want anyone to touch except
>>> myself as a superuser. Is it not plausible that even if I make a Django
>>> Group around that model that someone could still run createsuperuser and
>>> give themselves the ability to have full control?
>>>
>>> Wouldn't it make sense if some random developer were to run
>>> createsuperuser using django settings with any of the databases (as an
>>> example) that it prevent them if say that email isn't on say an internal
>>> list in the django admin of approved potential users?
>>>
>>> I see something like this being a good idea to prevent just anyone from
>>> getting full control over the site without it being specifically provided.
>>>
>>> Maybe there's something I'm missing something but been reading about
>>> third party options and more about what's there and I just feel there's a
>>> hole when it comes to who can create a super user account. Obviously you
>>> could have a script that you run to initialize who is a super user, what
>>> the groups are etc, but then you're basically recording personal
>>> information somewhere when that should only be typed in.
>>>
>>> Open to ideas and thoughts, mostly just curious what could be a good
>>> answer.
>>>
>>> Best,
>>>
>>> JJ
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to django-users@googlegroups.com.
>> Visit this group at https://groups.google.com/group/django-users.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/f85e2d9b-ec2d-4814-b4d5-df137bf8a883%40googlegroups.com
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAHn91oeeEhnsdrWfur0pV-%2B-BGU_mT70fbbmc7qFM1SwB3Df%2Bg%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAHDaQHGYSkookJsAXDtjgD_FHkvNfJRRQ7peZiJgYJzsKV_QuA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: More controls on createsuperuser

[Jani Tiainen]

I've have to agree that any attempt to limit superuser creation through
manage.py is wrong solution to wrong problem.

Even it's possible to attempt it it is as easy to circumvent.

So do not give an access to manage.py to users that are not supposed to.
Problem solved for good.

ma 29. huhtik. 2019 klo 21.04  kirjoitti:

> Anyone capable of running the createsuperuser command on your project most
> probably has access to all and any of the project's files, specially your
> config file.
>
> Actually this user is either a valid su or you are in serious trouble
> because the security of your server sucks or you gave access to your
> project to the wrong person.
>
> So, no I don't think there is any point in doing so. Not because it can't
> be done but because it is both trivially useless.and uselessly trivial.
>
>
>
> On Sunday, April 28, 2019 at 11:24:57 PM UTC-4, JJ Zolper wrote:
>>
>> All,
>>
>> Curious what people think about more thought and control going into who
>> can run the createsuperuser method?
>>
>> For example say there's models that I don't want anyone to touch except
>> myself as a superuser. Is it not plausible that even if I make a Django
>> Group around that model that someone could still run createsuperuser and
>> give themselves the ability to have full control?
>>
>> Wouldn't it make sense if some random developer were to run
>> createsuperuser using django settings with any of the databases (as an
>> example) that it prevent them if say that email isn't on say an internal
>> list in the django admin of approved potential users?
>>
>> I see something like this being a good idea to prevent just anyone from
>> getting full control over the site without it being specifically provided.
>>
>> Maybe there's something I'm missing something but been reading about
>> third party options and more about what's there and I just feel there's a
>> hole when it comes to who can create a super user account. Obviously you
>> could have a script that you run to initialize who is a super user, what
>> the groups are etc, but then you're basically recording personal
>> information somewhere when that should only be typed in.
>>
>> Open to ideas and thoughts, mostly just curious what could be a good
>> answer.
>>
>> Best,
>>
>> JJ
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/f85e2d9b-ec2d-4814-b4d5-df137bf8a883%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAHn91oeeEhnsdrWfur0pV-%2B-BGU_mT70fbbmc7qFM1SwB3Df%2Bg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: More controls on createsuperuser

[nimbiotics]

Anyone capable of running the createsuperuser command on your project most 
probably has access to all and any of the project's files, specially your 
config file.

Actually this user is either a valid su or you are in serious trouble 
because the security of your server sucks or you gave access to your 
project to the wrong person.

So, no I don't think there is any point in doing so. Not because it can't 
be done but because it is both trivially useless.and uselessly trivial.



On Sunday, April 28, 2019 at 11:24:57 PM UTC-4, JJ Zolper wrote:
>
> All,
>
> Curious what people think about more thought and control going into who 
> can run the createsuperuser method?
>
> For example say there's models that I don't want anyone to touch except 
> myself as a superuser. Is it not plausible that even if I make a Django 
> Group around that model that someone could still run createsuperuser and 
> give themselves the ability to have full control?
>
> Wouldn't it make sense if some random developer were to run 
> createsuperuser using django settings with any of the databases (as an 
> example) that it prevent them if say that email isn't on say an internal 
> list in the django admin of approved potential users?
>
> I see something like this being a good idea to prevent just anyone from 
> getting full control over the site without it being specifically provided.
>
> Maybe there's something I'm missing something but been reading about third 
> party options and more about what's there and I just feel there's a hole 
> when it comes to who can create a super user account. Obviously you could 
> have a script that you run to initialize who is a super user, what the 
> groups are etc, but then you're basically recording personal information 
> somewhere when that should only be typed in.
>
> Open to ideas and thoughts, mostly just curious what could be a good 
> answer.
>
> Best,
>
> JJ
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/f85e2d9b-ec2d-4814-b4d5-df137bf8a883%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: More controls on createsuperuser

[Sooraj Parakkattil]

Sometimes during development usually this particular suggestion might be
unnecessary. This might be useful in the case of production. As in if DEBUG
=True then the creation of the superuser should need approval from the
existing admins.

Regards,

*S P R*


On Mon, Apr 29, 2019 at 9:05 AM JJ Zolper  wrote:

> What if maybe after the command is run once it then is required to check a
> list of approved subsequent admins before allowing creation of an account?
> Some kind of list stored in the admin that is required to be populated
> following the first admin, or maybe 3 admins?
>
> On Sunday, April 28, 2019 at 11:24:57 PM UTC-4, JJ Zolper wrote:
>>
>> All,
>>
>> Curious what people think about more thought and control going into who
>> can run the createsuperuser method?
>>
>> For example say there's models that I don't want anyone to touch except
>> myself as a superuser. Is it not plausible that even if I make a Django
>> Group around that model that someone could still run createsuperuser and
>> give themselves the ability to have full control?
>>
>> Wouldn't it make sense if some random developer were to run
>> createsuperuser using django settings with any of the databases (as an
>> example) that it prevent them if say that email isn't on say an internal
>> list in the django admin of approved potential users?
>>
>> I see something like this being a good idea to prevent just anyone from
>> getting full control over the site without it being specifically provided.
>>
>> Maybe there's something I'm missing something but been reading about
>> third party options and more about what's there and I just feel there's a
>> hole when it comes to who can create a super user account. Obviously you
>> could have a script that you run to initialize who is a super user, what
>> the groups are etc, but then you're basically recording personal
>> information somewhere when that should only be typed in.
>>
>> Open to ideas and thoughts, mostly just curious what could be a good
>> answer.
>>
>> Best,
>>
>> JJ
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/d6c2514a-e74f-4946-a1d8-7dbf57937096%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAA1gVCfTcqysrBsAHOV-POGmgEFbmH09E6F99gMO0j51oqyaog%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: More controls on createsuperuser

[JJ Zolper]

What if maybe after the command is run once it then is required to check a 
list of approved subsequent admins before allowing creation of an account? 
Some kind of list stored in the admin that is required to be populated 
following the first admin, or maybe 3 admins?

On Sunday, April 28, 2019 at 11:24:57 PM UTC-4, JJ Zolper wrote:
>
> All,
>
> Curious what people think about more thought and control going into who 
> can run the createsuperuser method?
>
> For example say there's models that I don't want anyone to touch except 
> myself as a superuser. Is it not plausible that even if I make a Django 
> Group around that model that someone could still run createsuperuser and 
> give themselves the ability to have full control?
>
> Wouldn't it make sense if some random developer were to run 
> createsuperuser using django settings with any of the databases (as an 
> example) that it prevent them if say that email isn't on say an internal 
> list in the django admin of approved potential users?
>
> I see something like this being a good idea to prevent just anyone from 
> getting full control over the site without it being specifically provided.
>
> Maybe there's something I'm missing something but been reading about third 
> party options and more about what's there and I just feel there's a hole 
> when it comes to who can create a super user account. Obviously you could 
> have a script that you run to initialize who is a super user, what the 
> groups are etc, but then you're basically recording personal information 
> somewhere when that should only be typed in.
>
> Open to ideas and thoughts, mostly just curious what could be a good 
> answer.
>
> Best,
>
> JJ
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/d6c2514a-e74f-4946-a1d8-7dbf57937096%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

More controls on createsuperuser

[JJ Zolper]

All,

Curious what people think about more thought and control going into who can 
run the createsuperuser method?

For example say there's models that I don't want anyone to touch except 
myself as a superuser. Is it not plausible that even if I make a Django 
Group around that model that someone could still run createsuperuser and 
give themselves the ability to have full control?

Wouldn't it make sense if some random developer were to run createsuperuser 
using django settings with any of the databases (as an example) that it 
prevent them if say that email isn't on say an internal list in the django 
admin of approved potential users?

I see something like this being a good idea to prevent just anyone from 
getting full control over the site without it being specifically provided.

Maybe there's something I'm missing something but been reading about third 
party options and more about what's there and I just feel there's a hole 
when it comes to who can create a super user account. Obviously you could 
have a script that you run to initialize who is a super user, what the 
groups are etc, but then you're basically recording personal information 
somewhere when that should only be typed in.

Open to ideas and thoughts, mostly just curious what could be a good answer.

Best,

JJ

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/f8e18aa2-becb-4c06-bc6b-397652332602%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.