admin: "Can change user" permission allows to change all others even w/o "Can change permissions"
|Reported by:||raik.gruenberg@…||Owned by:||thauber|
|Cc:||Triage Stage:||Design decision needed|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Giving a user the "Can change user" permission in the admin interface, automatically enables this user to also give him/herself or anyone else any other permission, including superuser status. That's unexpected because there is a separate "Can change permission" flag, which seems to be ignored.
Specifically, I wanted to allow users to change their own details, or at least password...
Django revision: 6914
Change History (9)
comment:1 Changed 8 years ago by Simon Greenhill <dev@…>
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Accepted
- Version changed from SVN to newforms-admin
comment:2 Changed 7 years ago by anonymous
- Owner changed from nobody to anonymous
- Status changed from new to assigned
comment:3 Changed 7 years ago by thauber
- Owner changed from anonymous to thauber
- Status changed from assigned to new
comment:6 in reply to: ↑ description Changed 5 years ago by ramiro
- Triage Stage changed from Accepted to Design decision needed