diff options
| author | Remco Kranenburg <remco@burgsoft.nl> | 2015-03-13 08:48:39 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-03-13 08:50:48 -0400 |
| commit | f6b09a7f85c3b67b2011553838b079788c413432 (patch) | |
| tree | f45dd183dbdf918fed638eedf4681fbf03e35069 /docs | |
| parent | 56cd87a5aff034a7b976977a2902697cd5397b94 (diff) | |
Refs #23559 -- warned about consequences of letting users edit User model in admin.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/topics/auth/default.txt | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt index bc3eaf4df8..156746e3c2 100644 --- a/docs/topics/auth/default.txt +++ b/docs/topics/auth/default.txt @@ -1414,6 +1414,11 @@ have the power to create superusers, which can then, in turn, change other users. So Django requires add *and* change permissions as a slight security measure. +Be thoughtful about how you allow users to manage permissions. If you give a +non-superuser the ability to edit users, this is ultimately the same as giving +them superuser status because they will be able to elevate permissions of +users including themselves! + Changing Passwords ------------------ |
