id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23559	Staff (not superusers) should not manage perms of Users	Vlada Macek		"In our project we want to let some colleagues to see and modify several tables including the Users table. Nevertheless I don't want the colleague to be able to elevate his or anybody else's privileges.

May I submit little change of {{{UserAdmin}}} similar to the following for consideration?

{{{#!python
def get_readonly_fields(self, request, obj=None):
    rof = super(UserAdmin, self).get_readonly_fields(request, obj)
    if not request.user.is_superuser:
        rof += ('is_staff', 'is_superuser', 'groups', 'user_permissions')
    return rof
}}}

I rather doubt there is a use-case for current behaviour: Once the access to Users table is given, one can do anything.

In case the behavior change will get rejected, how about to add it as a tip in the doc?"	New feature	new	contrib.auth		Normal			Chris Foresman cmawebsite@…	Accepted	0	0	0	0	0	0