Permission escalation issue?

[rockymeza]

There is a potential permission escalation issue with the out-of-the-box configuration of authtools.

Users who are is_staff and have permissions to see the User section can currently edit their own permissions and also edit the passwords of superusers.

I did some work in one of my projects to prevent this, but I don't think it's possible to make this generic.

    def get_fieldsets(self, request, obj=None):
        if not obj or request.user.is_superuser:
            return super(UserAdmin, self).get_fieldsets(request, obj)

        # permission escalation avoidance.  Staff can change each others'
        # passwords, but not edit permissions or change superusers' passwords.
        base_fields = copy.deepcopy(BASE_FIELDS)
        if obj and obj.is_superuser:
            base_fields[1]['fields'] = REQUIRED_FIELDS
        return (base_fields,) + self.declared_fieldsets[2:]

There is still the possibility that an is_staff User gains more permissions by changing the password of other is_staffers, but they still won't be able to gain superuser access.

All this being said, I think the best we can do is just to put some warnings in the docs. Thoughts?

[gavinwahl]

Shouldn't users who aren't allowed to edit users not have user editing permissions?

[rockymeza]

Probably, but I still think it warrants some documentation warnings.