Hi again, some time ago I suggested a change to the UserAdmin.get_readonly_fields() restricting non-superuser staff people from being able to elevate anyone's permissions -- an issue many administratiors miss when giving access to the User admin.
https://code.djangoproject.com/ticket/23559 The discussion at least resulted in the important documentation addition and I'm grateful for that. Nevertheless it waits for the decision on the behavioral change. As that would introduce a backward incompatibility, may I ask about opinions? My view: With the introduction of custom user model feature, projects have more User fields and staff is more likely to get the change permission. I'd welcome some gentle push towards more secure default. Every project is different and the developer should always have an easy way to change restrictions to fit his or her needs. I think the default Django behavior should be more secure, that would propagate to inheritors. I'd suggest a configurable list of fields that the default UserAdmin should make read-only for non-superusers. Imagining this default global configuration (easy to configure): settings.AUTH_ADMIN_STAFF_READONLY_FIELDS = ('password', 'is_staff', 'is_superuser', 'groups', 'user_permissions') or this as the new default option (needs a subclass or a monkey patch to configure): UserAdmin.staff_readonly_fields = ('password', 'is_staff', 'is_superuser', 'groups', 'user_permissions') Thank you for your time, Vlada Macek -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/f8046c04-e3db-4d90-b3b9-99c65d754698%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
