I got the following issue: If I give a user staff-status and allow him to create users but not to create new groups and assign entitlements, he is still able to assign another user the 'admin'-entitlements - so he can easily add a user who has more entitlements than himself! Has anyone found a way to avoid that without providing a custom user-model / -view?
I'm thankful for any response.
Django requires that users with permission
Can add user
have also the permissionCan change user
. Quoting the documentation:However, it might be possible to restrict the set of permissions available for a given user to assign by modifying the
ModelAdmin
(or its form). Here's an answer showing how to redefine theUserAdmin
.I believe your new
ModelAdmin
would have to: a) filter out users that have more permissions than you (so you can't remove permissions from them); b) modify the change user form so you can't set thesuperuser
field and the permissions you're not allowed to assign are excluded from the list (or disable the whole list altogether - but I dunno that's what you really need, right? Creating an user with no permissions at all would be of little use IMO).Update: Here's what I found so far. Should satisfy all goals above, except the permission filtering problem (it behaves like you asked in the question - deny assiging any permissions by users who are not entitled to). You can modify it to better suit your needs (for instance, replace
.is_superuser
by whatever logic you want to allow/deny changing permissions).