django admin permissions - can edit user but can't edit his permissions - how to do it?

StackOverflow https://stackoverflow.com/questions/1825771

Question

I gave the editors such permissions:

  • auth | user | can add/change user - ON

  • auth | permissions | can add/change permissions - OFF

Still, when editing, they can change their permissions (and allow themselves actions they shouldn't do). I've found a ticket from 2yrs ago: http://code.djangoproject.com/ticket/6519 and it still works this way.

How to allow user edition (email, passwords, etc..) but block permissions change?

Was it helpful?

Solution

Your current approach isn't going to work I'm afraid.

From the Django docs:

If you have permission to add users, you have the power to create superusers, which can then, in turn, change other users.

So if you manage to block the editors from changing permissions, it will not help, because they could still create superusers that can.

OTHER TIPS

The code below gives you ability to override the formset, this essentially limits the ability for non-superusers to edit permissions. They can still create users, but they just can't modify permissions. They can even edit users just fine.

class UserAdmin(UserAdmin):

    def change_view(self, request, object_id):

        # we want to limit the ability of the normal user to edit permissions.
        if request.user.is_superuser:
            self.fieldsets = (
                (None, {'fields': ('username', 'password')}),
                (_('Personal info'), {'fields': ('first_name', 'last_name', 'email')}),
                (_('Permissions'), {'fields': ('is_active', 'is_staff', 'is_superuser', 'user_permissions')}),
                (_('Important dates'), {'fields': ('last_login', 'date_joined')}),
                (_('Groups'), {'fields': ('groups',)}),
            )
        else:
            self.fieldsets = (
                (None, {'fields': ('username', 'password')}),
                (_('Personal info'), {'fields': ('first_name', 'last_name', 'email')}),
                #(_('Permissions'), {'fields': ('is_active', 'is_staff', 'is_superuser', 'user_permissions')}),
                (_('Important dates'), {'fields': ('last_login', 'date_joined')}),
                #(_('Groups'), {'fields': ('groups',)}),
            )


        return super(UserAdmin, self).change_view(request, object_id,
            )
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top