Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <blockquote> <p>they gain the ability to set the is_superuser flag on any account, including their own. (!!!)</p> </blockquote> <p>Not only this, they also gain the ability to give themselves any permissions one-by-one, same effect...</p> <blockquote> <p>I'm sure it involves subclassing django.contrib.auth.forms.UserChangeForm</p> </blockquote> <p>Well, not necessarily. The form you see in the change page of django's admin is dynamically created by the admin application, and based on <code>UserChangeForm</code>, but this class barely adds regex validation to the <code>username</code> field.</p> <blockquote> <p>and hooking it into my already-custom UserAdmin object... </p> </blockquote> <p>A custom <code>UserAdmin</code> is the way to go here. Basically, you want to change the <code>fieldsets</code> property to something like that :</p> <pre><code>class MyUserAdmin(UserAdmin): fieldsets = ( (None, {'fields': ('username', 'password')}), (_('Personal info'), {'fields': ('first_name', 'last_name', 'email')}), # Removing the permission part # (_('Permissions'), {'fields': ('is_staff', 'is_active', 'is_superuser', 'user_permissions')}), (_('Important dates'), {'fields': ('last_login', 'date_joined')}), # Keeping the group parts? Ok, but they shouldn't be able to define # their own groups, up to you... (_('Groups'), {'fields': ('groups',)}), ) </code></pre> <p>But the problem here is that this restriction will apply to all users. If this is not what you want, you could for example override <code>change_view</code> to behave differently depending on the permission of the users. Code snippet :</p> <pre><code>class MyUserAdmin(UserAdmin): staff_fieldsets = ( (None, {'fields': ('username', 'password')}), (_('Personal info'), {'fields': ('first_name', 'last_name', 'email')}), # No permissions (_('Important dates'), {'fields': ('last_login', 'date_joined')}), (_('Groups'), {'fields': ('groups',)}), ) def change_view(self, request, *args, **kwargs): # for non-superuser if not request.user.is_superuser: try: self.fieldsets = self.staff_fieldsets response = super(MyUserAdmin, self).change_view(request, *args, **kwargs) finally: # Reset fieldsets to its original value self.fieldsets = UserAdmin.fieldsets return response else: return super(MyUserAdmin, self).change_view(request, *args, **kwargs) </code></pre>
    singulars
    1. This table or related slice is empty.
    1. POHow do I prevent permission escalation in Django admin when granting "user change" permission?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USseddonym
    1. USClément
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POHow do I prevent permission escalation in Django admin when granting "user change" permission?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COThat did the trick. Thanks for such a thorough answer!
      singulars
      1. PO
      1. USDavid Eyk
    2. COSince I'm using Groups to manage permissions, I also removed the Groups section from `staff_fieldsets`.
      singulars
      1. PO
      1. USDavid Eyk
    3. COThanks! This helped me a lot! However, Django 1.1.2 didn't seem to like the '_' you had before Personal info and the rest.
      singulars
      1. PO
      1. USTyug
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload