#29110 closed Bug (duplicate)

A user with change_permission for the User model can make themselves a superuser.

Reported by: Jonathan Sundqvist Owned by: nobody
Component: contrib.admin Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The expected behaviour is that only a superuser should be able to make others a superuser. The current behaviour is that you only need a change_permission on the user table to get superuser access.

Change History (1)

comment:1 Changed 22 months ago by Ramiro Morales

Resolution: duplicate
Status: newclosed

Duplicate of #23559

Note: See TracTickets for help on using tickets.
Back to Top