summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorRemco Kranenburg <remco@burgsoft.nl>2015-03-13 08:48:39 -0400
committerTim Graham <timograham@gmail.com>2015-03-13 08:50:48 -0400
commitf6b09a7f85c3b67b2011553838b079788c413432 (patch)
treef45dd183dbdf918fed638eedf4681fbf03e35069 /docs
parent56cd87a5aff034a7b976977a2902697cd5397b94 (diff)
Refs #23559 -- warned about consequences of letting users edit User model in admin.
Diffstat (limited to 'docs')
-rw-r--r--docs/topics/auth/default.txt5
1 files changed, 5 insertions, 0 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index bc3eaf4df8..156746e3c2 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -1414,6 +1414,11 @@ have the power to create superusers, which can then, in turn, change other
users. So Django requires add *and* change permissions as a slight security
measure.
+Be thoughtful about how you allow users to manage permissions. If you give a
+non-superuser the ability to edit users, this is ultimately the same as giving
+them superuser status because they will be able to elevate permissions of
+users including themselves!
+
Changing Passwords
------------------