Closed davidcr01 closed 1 year ago
To solve this, is necessary to change the Admin site and the permissions of the API, which, in this case, works separately.
Is pretty simple to solve this problem in the API. We had this permission assinged in the views.py
file:
elif self.action in ['update', 'partial_update', 'destroy']:
# Edition and destruction available only for the Event Managers. Needed for the Event Managers
# to edit the personal info of the players.
return [IsOwnerOrAdminPermission()]
To, is necessary to edit the IsOwnerOrAdminPermission
permission:
if request.user.is_staff and not obj.is_superuser:
return True
With this, we ensure that the staff members can perform the update, partial update and destroy as long as the object that is being modified is not the superuser account.
To solve this, is necessary to edit the CustomUserAdmin
class, specifically, to overwrite the has_delete_permission
and has_change_permission
:
# Overwritten method. It makes the staff members not to be able to delete the
# superuser account, but they can delete other staff accounts.
def has_delete_permission(self, request, obj=None):
if obj is not None and obj.is_superuser:
if request.user.is_superuser:
return True
return False
if not request.user.is_superuser and obj is not None and obj.is_staff:
# Si el usuario no es un superusuario y el objeto es un miembro del staff, se permite la eliminación
return True
return super().has_delete_permission(request, obj)
# Overwritten method. It makes the staff members not to be able to edit the
# superuser account, but they can edit other staff accounts.
def has_change_permission(self, request, obj=None):
if obj is not None and obj.is_superuser and not request.user.is_superuser:
return False
return super().has_change_permission(request, obj)
has_delete_permission
checks if the obj contains the superuser account, and allows to delete it only to the superuser.has_delete_permission
checks if the account that is being updated is the superuser account and it denies this action if the user of the request is not the superuser.Trying to edit the superuser account as a staff member with the API:
Trying to delete the superuser account as a staff member with the API:
Trying to edit or delete the superuser account as a staff member with the Admin site:
The "delete" button is not showing and the fields are read-only.
Description
The staff members should not edit the superuser account or delete it. That account has maximum permissions on the application, and the possibility of a staff member can update or delete it is a high-risk security problem.