Opened 17 years ago
Closed 13 years ago
#6519 closed New feature (invalid)
admin: "Can change user" permission allows to change all others even w/o "Can change permissions"
| Reported by: | Owned by: | thauber | |
|---|---|---|---|
| Component: | contrib.admin | Version: | newforms-admin |
| Severity: | Normal | Keywords: | permissions nfa-someday |
| Cc: | Triage Stage: | Design decision needed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Giving a user the "Can change user" permission in the admin interface, automatically enables this user to also give him/herself or anyone else any other permission, including superuser status. That's unexpected because there is a separate "Can change permission" flag, which seems to be ignored.
Specifically, I wanted to allow users to change their own details, or at least password...
Django revision: 6914
THX
Raik
Change History (9)
comment:1 by , 17 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|---|
| Version: | SVN → newforms-admin |
comment:2 by , 17 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 17 years ago
| Owner: | changed from to |
|---|---|
| Status: | assigned → new |
comment:4 by , 17 years ago
| Status: | new → assigned |
|---|
comment:5 by , 16 years ago
| Keywords: | nfa-someday added |
|---|
Opened against old admin, should not block merge.
comment:6 by , 14 years ago
| Triage Stage: | Accepted → Design decision needed |
|---|
Replying to raik.gruenberg@crg.es:
Giving a user the "Can change user" permission in the admin interface, automatically enables this user to also give him/herself or anyone else any other permission, including superuser status. That's unexpected because there is a separate "Can change permission" flag, which seems to be ignored.
I think There is some confusion about the semantics of these permission here. The "Can change permission" permission is about being able to change a Permission instance (permissions are models themselves, although there is no standalone CRUD UI in the admin for them) e.g. changing their name. It's not about being able or not to change the permissions assigned to a given user, such task is allowed as part of the "Can change user" permission (User has a m2m relationship to Permission.). Both of these features deserve their own tickets.
Specifically, I wanted to allow users to change their own details, or at least password...
This isn't currently possible, Django hasn't yet a full per-row permission system/admin app (I think this would allow or at least be of help to to what you need), another possibility would be to propose a general solution so there is a better workflow to users being able to change their own (and no others') details using the admin (maybe taking also in account #8159?)
I'm moving back this ticket to 'Design decision needed'.
comment:7 by , 14 years ago
| Type: | → New feature |
|---|
comment:8 by , 13 years ago
| Severity: | → Normal |
|---|
comment:9 by , 13 years ago
| Easy pickings: | unset |
|---|---|
| Resolution: | → invalid |
| Status: | assigned → closed |
| UI/UX: | unset |
This ticket resulted from a confusion about the wording of permissions; not seeing a clear action proposal here.
anonymous was me