Re: granting staff permissions without superuser permission?
Staff means you have the ability to create/delete/modify anything in the database that you have permissions for (by default, this is everything, I believe). Superuser means you have it no matter what permissions are set. You basically have every single permission automatically. This is a Django thing, and not controlled by Review Board in any way. It seems like something they should probably prevent. I think the proper thing to do, though, is to just not give staff members the ability to modify users by default. I see nothing in Django that prevents modifying this flag otherwise. Christian -- Christian Hammond - chip...@chipx86.com Review Board - http://www.reviewboard.org VMware, Inc. - http://www.vmware.com On Wed, Mar 10, 2010 at 11:17 AM, Matthew Woehlke mw_tr...@users.sourceforge.net wrote: I noticed something surprising today. Besides my RB root account, I have my personal account set up with staff permissions (so I and others can e.g. add users without using the superuser account), but apparently this power includes the ability to make anyone superuser. Is there a permission to prevent that? I'm using RB 1.0.5.1. -- Matthew -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.comreviewboard%2bunsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: granting staff permissions without superuser permission?
On 2010-03-10 15:07, Christian Hammond wrote: Staff means you have the ability to create/delete/modify anything in the database that you have permissions for (by default, this is everything, I believe). Superuser means you have it no matter what permissions are set. You basically have every single permission automatically. This is a Django thing, and not controlled by Review Board in any way. It seems like something they should probably prevent. I think the proper thing to do, though, is to just not give staff members the ability to modify users by default. I see nothing in Django that prevents modifying this flag otherwise. Okay, thanks. Unfortunately that seems like it would defeat the goal of staff being able to create users and reset passwords :-(. It seems rather counter-intuitive that the 'may modify users' and 'superuser' flags are effectively synonymous. I guess I should bug Django about it? -- Matthew -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: granting staff permissions without superuser permission?
I would be pretty curious to see what they say about this. I've never thought about it. Looks like you're no the first to notice this: http://stackoverflow.com/questions/2297377/how-do-i-prevent-permission-escalation-in-django-admin-when-granting-user-change We probably could make a custom UserChangeForm as they demonstrate. We already have one, actually. Still, I'd like to see this fixed upstream. Christian -- Christian Hammond - chip...@chipx86.com Review Board - http://www.reviewboard.org VMware, Inc. - http://www.vmware.com On Wed, Mar 10, 2010 at 1:11 PM, Matthew Woehlke mw_tr...@users.sourceforge.net wrote: On 2010-03-10 15:07, Christian Hammond wrote: Staff means you have the ability to create/delete/modify anything in the database that you have permissions for (by default, this is everything, I believe). Superuser means you have it no matter what permissions are set. You basically have every single permission automatically. This is a Django thing, and not controlled by Review Board in any way. It seems like something they should probably prevent. I think the proper thing to do, though, is to just not give staff members the ability to modify users by default. I see nothing in Django that prevents modifying this flag otherwise. Okay, thanks. Unfortunately that seems like it would defeat the goal of staff being able to create users and reset passwords :-(. It seems rather counter-intuitive that the 'may modify users' and 'superuser' flags are effectively synonymous. I guess I should bug Django about it? -- Matthew -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.comreviewboard%2bunsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en