[1.7.x] Refs #23559 -- warned about consequences of letting users edit User model in admin.

Backport of f6b09a7f85c3b67b2011553838b079788c413432 from master
2015-03-13 08:48:39 -04:00 · 2015-03-13 08:48:39 -04:00 · 96bbade674
commit 96bbade674
parent 639583ed1d
1 changed files with 5 additions and 0 deletions
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@ -1402,6 +1402,11 @@ have the power to create superusers, which can then, in turn, change other
 users. So Django requires add *and* change permissions as a slight security
 measure.

+Be thoughtful about how you allow users to manage permissions. If you give a
+non-superuser the ability to edit users, this is ultimately the same as giving
+them superuser status because they will be able to elevate permissions of
+users including themselves!
+
 Changing Passwords
 ------------------