Opened 7 years ago

Closed 4 years ago

#6519 closed New feature (invalid)

admin: "Can change user" permission allows to change all others even w/o "Can change permissions"

Reported by: raik.gruenberg@… Owned by: thauber
Component: contrib.admin Version: newforms-admin
Severity: Normal Keywords: permissions nfa-someday
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Giving a user the "Can change user" permission in the admin interface, automatically enables this user to also give him/herself or anyone else any other permission, including superuser status. That's unexpected because there is a separate "Can change permission" flag, which seems to be ignored.

Specifically, I wanted to allow users to change their own details, or at least password...

Django revision: 6914

THX
Raik

Change History (9)

comment:1 Changed 7 years ago by Simon Greenhill <dev@…>

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted
  • Version changed from SVN to newforms-admin

comment:2 Changed 7 years ago by anonymous

  • Owner changed from nobody to anonymous
  • Status changed from new to assigned

comment:3 Changed 7 years ago by thauber

  • Owner changed from anonymous to thauber
  • Status changed from assigned to new

anonymous was me

comment:4 Changed 7 years ago by thauber

  • Status changed from new to assigned

comment:5 Changed 7 years ago by Karen Tracey <kmtracey@…>

  • Keywords nfa-someday added

Opened against old admin, should not block merge.

comment:6 in reply to: ↑ description Changed 4 years ago by ramiro

  • Triage Stage changed from Accepted to Design decision needed

Replying to raik.gruenberg@crg.es:

Giving a user the "Can change user" permission in the admin interface, automatically enables this user to also give him/herself or anyone else any other permission, including superuser status. That's unexpected because there is a separate "Can change permission" flag, which seems to be ignored.

I think There is some confusion about the semantics of these permission here. The "Can change permission" permission is about being able to change a Permission instance (permissions are models themselves, although there is no standalone CRUD UI in the admin for them) e.g. changing their name. It's not about being able or not to change the permissions assigned to a given user, such task is allowed as part of the "Can change user" permission (User has a m2m relationship to Permission.). Both of these features deserve their own tickets.

Specifically, I wanted to allow users to change their own details, or at least password...

This isn't currently possible, Django hasn't yet a full per-row permission system/admin app (I think this would allow or at least be of help to to what you need), another possibility would be to propose a general solution so there is a better workflow to users being able to change their own (and no others') details using the admin (maybe taking also in account #8159?)

I'm moving back this ticket to 'Design decision needed'.

comment:7 Changed 4 years ago by julien

  • Type set to New feature

comment:8 Changed 4 years ago by julien

  • Severity set to Normal

comment:9 Changed 4 years ago by carljm

  • Easy pickings unset
  • Resolution set to invalid
  • Status changed from assigned to closed
  • UI/UX unset

This ticket resulted from a confusion about the wording of permissions; not seeing a clear action proposal here.

Note: See TracTickets for help on using tickets.
Back to Top