#23559: Staff (not superusers) should not be able to elevate perms of Users
53 views
Skip to first unread message
Vláďa Macek
Jul 15, 2017, 1:24:29 PM7/15/17
to Django developers (Contributions to Django itself)
Hi again,
some time ago I suggested a change to the UserAdmin.get_readonly_fields() restricting non-superuser staff people from being able to elevate anyone's permissions -- an issue many administratiors miss when giving access to the User admin.
https://code.djangoproject.com/ticket/23559
The discussion at least resulted in the important documentation addition and I'm grateful for that. Nevertheless it waits for the decision on the behavioral change. As that would introduce a backward incompatibility, may I ask about opinions?
My view:
With the introduction of custom user model feature, projects have more User fields and staff is more likely to get the change permission. I'd welcome some gentle push towards more secure default.
Every project is different and the developer should always have an easy way to change restrictions to fit his or her needs. I think the default Django behavior should be more secure, that would propagate to inheritors.
I'd suggest a configurable list of fields that the default UserAdmin should make read-only for non-superusers.
Imagining this default global configuration (easy to configure):
settings.AUTH_ADMIN_STAFF_READONLY_FIELDS = ('password', 'is_staff', 'is_superuser', 'groups', 'user_permissions')
or this as the new default option (needs a subclass or a monkey patch to configure):
UserAdmin.staff_readonly_fields = ('password', 'is_staff', 'is_superuser', 'groups', 'user_permissions')
Thank you for your time,
Vlada Macek
some time ago I suggested a change to the UserAdmin.get_readonly_fields() restricting non-superuser staff people from being able to elevate anyone's permissions -- an issue many administratiors miss when giving access to the User admin.
https://code.djangoproject.com/ticket/23559
The discussion at least resulted in the important documentation addition and I'm grateful for that. Nevertheless it waits for the decision on the behavioral change. As that would introduce a backward incompatibility, may I ask about opinions?
My view:
With the introduction of custom user model feature, projects have more User fields and staff is more likely to get the change permission. I'd welcome some gentle push towards more secure default.
Every project is different and the developer should always have an easy way to change restrictions to fit his or her needs. I think the default Django behavior should be more secure, that would propagate to inheritors.
I'd suggest a configurable list of fields that the default UserAdmin should make read-only for non-superusers.
Imagining this default global configuration (easy to configure):
settings.AUTH_ADMIN_STAFF_READONLY_FIELDS = ('password', 'is_staff', 'is_superuser', 'groups', 'user_permissions')
or this as the new default option (needs a subclass or a monkey patch to configure):
UserAdmin.staff_readonly_fields = ('password', 'is_staff', 'is_superuser', 'groups', 'user_permissions')
Thank you for your time,
Vlada Macek
Reply all
Reply to author
Forward
0 new messages