diff options
| author | Remco Kranenburg <remco@burgsoft.nl> | 2015-03-13 08:48:39 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-03-13 08:51:27 -0400 |
| commit | 96bbade674a9bde23d54f68350f83893666f18a5 (patch) | |
| tree | cdb7a29d66f860b247715fce392546c6ee3d97ce | |
| parent | 639583ed1daccc8033ad6358743199441f9474f9 (diff) | |
[1.7.x] Refs #23559 -- warned about consequences of letting users edit User model in admin.
Backport of f6b09a7f85c3b67b2011553838b079788c413432 from master
| -rw-r--r-- | docs/topics/auth/default.txt | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt index 89af55f101..d3a5b722d7 100644 --- a/docs/topics/auth/default.txt +++ b/docs/topics/auth/default.txt @@ -1402,6 +1402,11 @@ have the power to create superusers, which can then, in turn, change other users. So Django requires add *and* change permissions as a slight security measure. +Be thoughtful about how you allow users to manage permissions. If you give a +non-superuser the ability to edit users, this is ultimately the same as giving +them superuser status because they will be able to elevate permissions of +users including themselves! + Changing Passwords ------------------ |
