admin: "Can change user" permission allows to change all others even w/o "Can change permissions"
|Reported by:||Owned by:||thauber|
|Cc:||Triage Stage:||Design decision needed|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Giving a user the "Can change user" permission in the admin interface, automatically enables this user to also give him/herself or anyone else any other permission, including superuser status. That's unexpected because there is a separate "Can change permission" flag, which seems to be ignored.
Specifically, I wanted to allow users to change their own details, or at least password...
Django revision: 6914