Code

Opened 6 years ago

Closed 5 years ago

#8761 closed (wontfix)

Permissions bug in Admin area

Reported by: caphun Owned by: nobody
Component: contrib.admin Version: master
Severity: Keywords: admin, interface, permissions, users, groups, bug
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

If a user is given add/edit/delete permissions to user objects, the user is then able to create other users with greater permissions than itself, even promoting others to superuser status. Furthermore that user could also turn itself super by editing profile. Running off latest SVN version.

Attachments (0)

Change History (5)

comment:1 Changed 6 years ago by telenieko

  • milestone changed from 1.0 to post-1.0
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

I'd guess this would either mean:

  • Field/Row level permissions, which are not (yet) implemented.
  • Provide more fine-grained permissions.

So, it's not really a bug, but a feature request. You could say it's a gotcha if you wish ;)

I'll mark this post-1.0; But it's likely to die as "invalid" and maybe opened as "Provide finer control in contrib.auth" when the above gets implemented ;)

comment:2 Changed 6 years ago by caphun

You really got me there :)

I honestly did not anticipate that by giving a non-superuser the ability to add other users is equivalent to making them a superuser (by implication that is ;)

Can't wait to see this "feature" included. Hope it's not at the bottom of the list!

comment:3 Changed 6 years ago by anonymous

This is quite a serious flaw. Please can we have this feature included!

comment:4 Changed 5 years ago by anonymous

  • milestone post-1.0 deleted

Milestone post-1.0 deleted

comment:5 Changed 5 years ago by jacob

  • Resolution set to wontfix
  • Status changed from new to closed

Without any sort of row-level permissions -- which, at the moment, is nowhere near even being considered for addition -- this is impossible.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.