I noticed something surprising today. Besides my RB root account, I
have my personal account set up with staff permissions (so I and
others can e.g. add users without using the superuser account), but
apparently this power includes the ability to make anyone superuser. Is
there a permission to
Staff means you have the ability to create/delete/modify anything in the
database that you have permissions for (by default, this is everything, I
believe). Superuser means you have it no matter what permissions are set.
You basically have every single permission automatically.
This is a Django
On 2010-03-10 15:07, Christian Hammond wrote:
Staff means you have the ability to create/delete/modify anything in the
database that you have permissions for (by default, this is everything, I
believe). Superuser means you have it no matter what permissions are set.
You basically have every
I would be pretty curious to see what they say about this. I've never
thought about it.
Looks like you're no the first to notice this:
http://stackoverflow.com/questions/2297377/how-do-i-prevent-permission-escalation-in-django-admin-when-granting-user-change
We probably could make a custom