Opened 16 years ago

Closed 16 years ago

#8761 closed (wontfix)

Permissions bug in Admin area

Reported by: caphun Owned by: nobody
Component: contrib.admin Version: dev
Severity: Keywords: admin, interface, permissions, users, groups, bug
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If a user is given add/edit/delete permissions to user objects, the user is then able to create other users with greater permissions than itself, even promoting others to superuser status. Furthermore that user could also turn itself super by editing profile. Running off latest SVN version.

Change History (5)

comment:1 by Marc Fargas, 16 years ago

milestone: 1.0post-1.0

I'd guess this would either mean:

  • Field/Row level permissions, which are not (yet) implemented.
  • Provide more fine-grained permissions.

So, it's not really a bug, but a feature request. You could say it's a gotcha if you wish ;)

I'll mark this post-1.0; But it's likely to die as "invalid" and maybe opened as "Provide finer control in contrib.auth" when the above gets implemented ;)

comment:2 by caphun, 16 years ago

You really got me there :)

I honestly did not anticipate that by giving a non-superuser the ability to add other users is equivalent to making them a superuser (by implication that is ;)

Can't wait to see this "feature" included. Hope it's not at the bottom of the list!

comment:3 by anonymous, 16 years ago

This is quite a serious flaw. Please can we have this feature included!

comment:4 by (none), 16 years ago

milestone: post-1.0

Milestone post-1.0 deleted

comment:5 by Jacob, 16 years ago

Resolution: wontfix
Status: newclosed

Without any sort of row-level permissions -- which, at the moment, is nowhere near even being considered for addition -- this is impossible.

Note: See TracTickets for help on using tickets.
Back to Top