Opened 10 years ago

Closed 9 years ago

#8761 closed (wontfix)

Permissions bug in Admin area

Reported by: caphun Owned by: nobody
Component: contrib.admin Version: master
Severity: Keywords: admin, interface, permissions, users, groups, bug
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


If a user is given add/edit/delete permissions to user objects, the user is then able to create other users with greater permissions than itself, even promoting others to superuser status. Furthermore that user could also turn itself super by editing profile. Running off latest SVN version.

Change History (5)

comment:1 Changed 10 years ago by Marc Fargas

milestone: 1.0post-1.0

I'd guess this would either mean:

  • Field/Row level permissions, which are not (yet) implemented.
  • Provide more fine-grained permissions.

So, it's not really a bug, but a feature request. You could say it's a gotcha if you wish ;)

I'll mark this post-1.0; But it's likely to die as "invalid" and maybe opened as "Provide finer control in contrib.auth" when the above gets implemented ;)

comment:2 Changed 10 years ago by caphun

You really got me there :)

I honestly did not anticipate that by giving a non-superuser the ability to add other users is equivalent to making them a superuser (by implication that is ;)

Can't wait to see this "feature" included. Hope it's not at the bottom of the list!

comment:3 Changed 10 years ago by anonymous

This is quite a serious flaw. Please can we have this feature included!

comment:4 Changed 9 years ago by (none)

milestone: post-1.0

Milestone post-1.0 deleted

comment:5 Changed 9 years ago by Jacob

Resolution: wontfix
Status: newclosed

Without any sort of row-level permissions -- which, at the moment, is nowhere near even being considered for addition -- this is impossible.

Note: See TracTickets for help on using tickets.
Back to Top