From 6f555e54f727f49ac1f4982b6e6126f3238746e4 Mon Sep 17 00:00:00 2001
From: Remco Kranenburg <remco@burgsoft.nl>
Date: Fri, 13 Mar 2015 08:48:39 -0400
Subject: [PATCH] [1.8.x] Refs #23559 -- warned about consequences of letting
 users edit User model in admin.

Backport of f6b09a7f85c3b67b2011553838b079788c413432 from master
---
 docs/topics/auth/default.txt | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 554e58b838..faad4d8579 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -1427,6 +1427,11 @@ have the power to create superusers, which can then, in turn, change other
 users. So Django requires add *and* change permissions as a slight security
 measure.
 
+Be thoughtful about how you allow users to manage permissions. If you give a
+non-superuser the ability to edit users, this is ultimately the same as giving
+them superuser status because they will be able to elevate permissions of
+users including themselves!
+
 Changing Passwords
 ------------------