Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review User Admin Security #13

Open
dandavies99 opened this issue Oct 4, 2021 · 1 comment
Open

Review User Admin Security #13

dandavies99 opened this issue Oct 4, 2021 · 1 comment
Labels
enhancement New feature or request
Milestone
Milestone 2 - Add...

Comments

@dandavies99
Copy link
Contributor

Form fields are currently disabled in CustomUserAdmin to prevent escalation of privileges and enforce the use of groups to manage permissions. This appears to be recommended but may not protect against users generating requests via means other than the browser.

Once we have a minimum viable product, we should revisit this to see if there is a way to block such requests being acted on.
@dandavies99 dandavies99 added the enhancement New feature or request label Oct 4, 2021
@dandavies99 dandavies99 mentioned this issue Oct 4, 2021
Merged
@cc-a
Copy link

cc-a commented Oct 6, 2021

A more robust answer may be provided by the has_*_permission hooks provided by ModelAdmin:
https://docs.djangoproject.com/en/2.1/ref/contrib/admin/#django.contrib.admin.ModelAdmin.has_view_permission

Or for instance level permissions could Guardian be applied to the User model?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
Milestone 2 - Additional features and...
Development

No branches or pull requests
2 participants
@dandavies99 @cc-a