mirror of https://github.com/django/django.git
Refs #23559 -- warned about consequences of letting users edit User model in admin.
This commit is contained in:
parent
56cd87a5af
commit
f6b09a7f85
|
@ -1414,6 +1414,11 @@ have the power to create superusers, which can then, in turn, change other
|
|||
users. So Django requires add *and* change permissions as a slight security
|
||||
measure.
|
||||
|
||||
Be thoughtful about how you allow users to manage permissions. If you give a
|
||||
non-superuser the ability to edit users, this is ultimately the same as giving
|
||||
them superuser status because they will be able to elevate permissions of
|
||||
users including themselves!
|
||||
|
||||
Changing Passwords
|
||||
------------------
|
||||
|
||||
|
|
Loading…
Reference in New Issue