Opened 7 years ago
Closed 7 years ago
#29110 closed Bug (duplicate)
A user with change_permission for the User model can make themselves a superuser.
| Reported by: | Jonathan Sundqvist | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The expected behaviour is that only a superuser should be able to make others a superuser. The current behaviour is that you only need a change_permission on the user table to get superuser access.
Note:
See TracTickets
for help on using tickets.
Duplicate of #23559