Re: granting staff permissions without superuser permission?

2010-03-10 Thread Christian Hammond
Staff means you have the ability to create/delete/modify anything in the
database that you have permissions for (by default, this is everything, I
believe). Superuser means you have it no matter what permissions are set.
You basically have every single permission automatically.

This is a Django thing, and not controlled by Review Board in any way. It
seems like something they should probably prevent. I think the proper thing
to do, though, is to just not give staff members the ability to modify users
by default. I see nothing in Django that prevents modifying this flag
otherwise.

Christian

-- 
Christian Hammond - chip...@chipx86.com
Review Board - http://www.reviewboard.org
VMware, Inc. - http://www.vmware.com


On Wed, Mar 10, 2010 at 11:17 AM, Matthew Woehlke 
mw_tr...@users.sourceforge.net wrote:

 I noticed something surprising today. Besides my RB root account, I have
 my personal account set up with staff permissions (so I and others can
 e.g. add users without using the superuser account), but apparently this
 power includes the ability to make anyone superuser. Is there a permission
 to prevent that?

 I'm using RB 1.0.5.1.

 --
 Matthew

 --
 Want to help the Review Board project? Donate today at
 http://www.reviewboard.org/donate/
 Happy user? Let us know at http://www.reviewboard.org/users/
 -~--~~~~--~~--~--~---
 To unsubscribe from this group, send email to
 reviewboard+unsubscr...@googlegroups.comreviewboard%2bunsubscr...@googlegroups.com
 For more options, visit this group at
 http://groups.google.com/group/reviewboard?hl=en

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Re: granting staff permissions without superuser permission?

2010-03-10 Thread Matthew Woehlke

On 2010-03-10 15:07, Christian Hammond wrote:

Staff means you have the ability to create/delete/modify anything in the
database that you have permissions for (by default, this is everything, I
believe). Superuser means you have it no matter what permissions are set.
You basically have every single permission automatically.

This is a Django thing, and not controlled by Review Board in any way. It
seems like something they should probably prevent. I think the proper thing
to do, though, is to just not give staff members the ability to modify users
by default. I see nothing in Django that prevents modifying this flag
otherwise.


Okay, thanks. Unfortunately that seems like it would defeat the goal of 
staff being able to create users and reset passwords :-(.


It seems rather counter-intuitive that the 'may modify users' and 
'superuser' flags are effectively synonymous. I guess I should bug 
Django about it?


--
Matthew

--
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en


Re: granting staff permissions without superuser permission?

2010-03-10 Thread Christian Hammond
I would be pretty curious to see what they say about this. I've never
thought about it.

Looks like you're no the first to notice this:

http://stackoverflow.com/questions/2297377/how-do-i-prevent-permission-escalation-in-django-admin-when-granting-user-change

We probably could make a custom UserChangeForm as they demonstrate. We
already have one, actually. Still, I'd like to see this fixed upstream.

Christian


-- 
Christian Hammond - chip...@chipx86.com
Review Board - http://www.reviewboard.org
VMware, Inc. - http://www.vmware.com


On Wed, Mar 10, 2010 at 1:11 PM, Matthew Woehlke 
mw_tr...@users.sourceforge.net wrote:

 On 2010-03-10 15:07, Christian Hammond wrote:

 Staff means you have the ability to create/delete/modify anything in the
 database that you have permissions for (by default, this is everything, I
 believe). Superuser means you have it no matter what permissions are set.
 You basically have every single permission automatically.

 This is a Django thing, and not controlled by Review Board in any way. It
 seems like something they should probably prevent. I think the proper
 thing
 to do, though, is to just not give staff members the ability to modify
 users
 by default. I see nothing in Django that prevents modifying this flag
 otherwise.


 Okay, thanks. Unfortunately that seems like it would defeat the goal of
 staff being able to create users and reset passwords :-(.

 It seems rather counter-intuitive that the 'may modify users' and
 'superuser' flags are effectively synonymous. I guess I should bug Django
 about it?


 --
 Matthew

 --
 Want to help the Review Board project? Donate today at
 http://www.reviewboard.org/donate/
 Happy user? Let us know at http://www.reviewboard.org/users/
 -~--~~~~--~~--~--~---
 To unsubscribe from this group, send email to
 reviewboard+unsubscr...@googlegroups.comreviewboard%2bunsubscr...@googlegroups.com
 For more options, visit this group at
 http://groups.google.com/group/reviewboard?hl=en


-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en