Opened 16 years ago
Closed 16 years ago
#8761 closed (wontfix)
Permissions bug in Admin area
| Reported by: | caphun | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | dev |
| Severity: | Keywords: | admin, interface, permissions, users, groups, bug | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If a user is given add/edit/delete permissions to user objects, the user is then able to create other users with greater permissions than itself, even promoting others to superuser status. Furthermore that user could also turn itself super by editing profile. Running off latest SVN version.
Change History (5)
comment:1 by , 16 years ago
| milestone: | 1.0 → post-1.0 |
|---|
comment:2 by , 16 years ago
You really got me there :)
I honestly did not anticipate that by giving a non-superuser the ability to add other users is equivalent to making them a superuser (by implication that is ;)
Can't wait to see this "feature" included. Hope it's not at the bottom of the list!
comment:5 by , 16 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Without any sort of row-level permissions -- which, at the moment, is nowhere near even being considered for addition -- this is impossible.
Note:
See TracTickets
for help on using tickets.
I'd guess this would either mean:
So, it's not really a bug, but a feature request. You could say it's a gotcha if you wish ;)
I'll mark this post-1.0; But it's likely to die as "invalid" and maybe opened as "Provide finer control in contrib.auth" when the above gets implemented ;)