Users can give permissions they don't have.

43 views
Skip to first unread message

RLF_UNIQUE

unread,
Nov 14, 2014, 9:25:28 PM11/14/14
to django...@googlegroups.com
I want to make a "manager" user, who has a set of permissions (less than what I have as admin). I want "manager" to be able to create users, groups, permissions, etc, but restrict them to ONLY the permissions they have (if I give them permission to add user, they can just give new user all available permissions, even ones they don't have). Is there an easy way to do this?

Avraham Serour

unread,
Nov 15, 2014, 3:41:55 PM11/15/14
to django...@googlegroups.com
yes, that seems reasonable, users that can create users can only give them permissions they also have.
What's the problem?

On Sat, Nov 15, 2014 at 4:25 AM, RLF_UNIQUE <rlfu...@gmail.com> wrote:
I want to make a "manager" user, who has a set of permissions (less than what I have as admin). I want "manager" to be able to create users, groups, permissions, etc, but restrict them to ONLY the permissions they have (if I give them permission to add user, they can just give new user all available permissions, even ones they don't have). Is there an easy way to do this?

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/87448e01-9197-44d5-97c6-a1dac68e8a8f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RLF_UNIQUE

unread,
Nov 15, 2014, 5:07:16 PM11/15/14
to django...@googlegroups.com
The problem is that's not how it's working. I create a user and they can give other users privs that they don't have.

Collin Anderson

unread,
Nov 17, 2014, 4:29:43 PM11/17/14
to django...@googlegroups.com
On Friday, November 14, 2014 9:25:28 PM UTC-5, RLF_UNIQUE wrote:
I want to make a "manager" user, who has a set of permissions (less than what I have as admin). I want "manager" to be able to create users, groups, permissions, etc, but restrict them to ONLY the permissions they have (if I give them permission to add user, they can just give new user all available permissions, even ones they don't have). Is there an easy way to do this?

Hello,

I don't think django has anything like this built-in, but it seems to me if you write some code for adding permissions, you could just manually check that the user has the permission before giving it to the next person.

Though of course, removing permissions from the first user wouldn't automatically remove them from the other people. 

Collin

Reply all
Reply to author
Forward
0 new messages