how to not let staff or admin users edit superusers
Question:
I’m working on permission distribution and according to my user model structure, staff and admin users are allowed to edit is_staff and is_admin for other users, not themselves. But with such power, they are able to edit those booleans for superusers too, which I don’t them to have permission for! so, how do I let staff and admin users edit those booleans for others except superusers and themselves? or to not let staff and admin users get permission to tamper with any superuser attributes
admin
def get_form(self, request, obj=None, **kwargs):
form = super().get_form(request, obj, **kwargs)
is_superuser = request.user.is_superuser
is_admin = request.user.is_admin
disabled_fields = set()
if (
not is_superuser
and obj is not None
and obj == request.user
):
disabled_fields |= {
'staff',
'admin',
'user_permissions',
}
for f in disabled_fields:
if f in form.base_fields:
form.base_fields[f].disabled = True
return form
Answers:
I have another suggest to you, you can use Django Group permission
create a specific group permission and add any user you want to it
You can remove edit permission for any superuser from non-superusers.
from django.contrib.auth import get_permission_codename
def has_change_permission(self, request, obj=None):
opts = self.opts
codename = get_permission_codename('change', opts)
user_has_change = request.user.has_perm("%s.%s" % (opts.app_label, codename))
if user_has_change and obj is not None and self.is_user_not_allowed(request.user, obj):
return False
return user_has_change
def is_user_not_allowed(self, user, obj=None):
if not user.is_superuser and obj is not None and obj.is_superuser:
# Prevent non-superusers from editing any superuser
return True
return False
I’m working on permission distribution and according to my user model structure, staff and admin users are allowed to edit is_staff and is_admin for other users, not themselves. But with such power, they are able to edit those booleans for superusers too, which I don’t them to have permission for! so, how do I let staff and admin users edit those booleans for others except superusers and themselves? or to not let staff and admin users get permission to tamper with any superuser attributes
admin
def get_form(self, request, obj=None, **kwargs):
form = super().get_form(request, obj, **kwargs)
is_superuser = request.user.is_superuser
is_admin = request.user.is_admin
disabled_fields = set()
if (
not is_superuser
and obj is not None
and obj == request.user
):
disabled_fields |= {
'staff',
'admin',
'user_permissions',
}
for f in disabled_fields:
if f in form.base_fields:
form.base_fields[f].disabled = True
return form
I have another suggest to you, you can use Django Group permission
create a specific group permission and add any user you want to it
You can remove edit permission for any superuser from non-superusers.
from django.contrib.auth import get_permission_codename
def has_change_permission(self, request, obj=None):
opts = self.opts
codename = get_permission_codename('change', opts)
user_has_change = request.user.has_perm("%s.%s" % (opts.app_label, codename))
if user_has_change and obj is not None and self.is_user_not_allowed(request.user, obj):
return False
return user_has_change
def is_user_not_allowed(self, user, obj=None):
if not user.is_superuser and obj is not None and obj.is_superuser:
# Prevent non-superusers from editing any superuser
return True
return False