Opened 17 years ago

Closed 13 years ago

#6519 closed New feature (invalid)

admin: "Can change user" permission allows to change all others even w/o "Can change permissions"

Reported by: raik.gruenberg@… Owned by: thauber
Component: contrib.admin Version: newforms-admin
Severity: Normal Keywords: permissions nfa-someday
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Giving a user the "Can change user" permission in the admin interface, automatically enables this user to also give him/herself or anyone else any other permission, including superuser status. That's unexpected because there is a separate "Can change permission" flag, which seems to be ignored.

Specifically, I wanted to allow users to change their own details, or at least password...

Django revision: 6914

THX
Raik

Change History (9)

comment:1 by Simon Greenhill <dev@…>, 17 years ago

Triage Stage: UnreviewedAccepted
Version: SVNnewforms-admin

comment:2 by anonymous, 17 years ago

Owner: changed from nobody to anonymous
Status: newassigned

comment:3 by thauber, 17 years ago

Owner: changed from anonymous to thauber
Status: assignednew

anonymous was me

comment:4 by thauber, 17 years ago

Status: newassigned

comment:5 by Karen Tracey <kmtracey@…>, 17 years ago

Keywords: nfa-someday added

Opened against old admin, should not block merge.

in reply to:  description comment:6 by Ramiro Morales, 14 years ago

Triage Stage: AcceptedDesign decision needed

Replying to raik.gruenberg@crg.es:

Giving a user the "Can change user" permission in the admin interface, automatically enables this user to also give him/herself or anyone else any other permission, including superuser status. That's unexpected because there is a separate "Can change permission" flag, which seems to be ignored.

I think There is some confusion about the semantics of these permission here. The "Can change permission" permission is about being able to change a Permission instance (permissions are models themselves, although there is no standalone CRUD UI in the admin for them) e.g. changing their name. It's not about being able or not to change the permissions assigned to a given user, such task is allowed as part of the "Can change user" permission (User has a m2m relationship to Permission.). Both of these features deserve their own tickets.

Specifically, I wanted to allow users to change their own details, or at least password...

This isn't currently possible, Django hasn't yet a full per-row permission system/admin app (I think this would allow or at least be of help to to what you need), another possibility would be to propose a general solution so there is a better workflow to users being able to change their own (and no others') details using the admin (maybe taking also in account #8159?)

I'm moving back this ticket to 'Design decision needed'.

comment:7 by Julien Phalip, 14 years ago

Type: New feature

comment:8 by Julien Phalip, 14 years ago

Severity: Normal

comment:9 by Carl Meyer, 13 years ago

Easy pickings: unset
Resolution: invalid
Status: assignedclosed
UI/UX: unset

This ticket resulted from a confusion about the wording of permissions; not seeing a clear action proposal here.

Note: See TracTickets for help on using tickets.
Back to Top