search

davidcr01 / WordlePlus

Repository to store all the documentation, files and structure of my Final Degree Project (TFG in Spanish). The main goal is to develop, as full-stack web developer, a remodel of the Wordle game, including more features and functionalities using Ionic, Django REST Api and PostgreSQL.
1 stars 0 forks source link

Staff members should not manage superuser account (S1) #10

Closed davidcr01 closed 1 year ago

davidcr01 commented 1 year ago

Description

The staff members should not edit the superuser account or delete it. That account has maximum permissions on the application, and the possibility of a staff member can update or delete it is a high-risk security problem.

davidcr01 commented 1 year ago

Update Report

To solve this, is necessary to change the Admin site and the permissions of the API, which, in this case, works separately.

The API

Is pretty simple to solve this problem in the API. We had this permission assinged in the views.py file:

elif self.action in ['update', 'partial_update', 'destroy']:
            # Edition and destruction available only for the Event Managers. Needed for the Event Managers
            # to edit the personal info of the players.
            return [IsOwnerOrAdminPermission()]

To, is necessary to edit the IsOwnerOrAdminPermission permission:

if request.user.is_staff and not obj.is_superuser:
            return True

With this, we ensure that the staff members can perform the update, partial update and destroy as long as the object that is being modified is not the superuser account.

Admin site

To solve this, is necessary to edit the CustomUserAdmin class, specifically, to overwrite the has_delete_permission and has_change_permission:

# Overwritten method. It makes the staff members not to be able to delete the
    # superuser account, but they can delete other staff accounts.
    def has_delete_permission(self, request, obj=None):
        if obj is not None and obj.is_superuser:
            if request.user.is_superuser:
                return True
            return False

        if not request.user.is_superuser and obj is not None and obj.is_staff:
            # Si el usuario no es un superusuario y el objeto es un miembro del staff, se permite la eliminación
            return True
        return super().has_delete_permission(request, obj)

    # Overwritten method. It makes the staff members not to be able to edit the
    # superuser account, but they can edit other staff accounts.
    def has_change_permission(self, request, obj=None):
        if obj is not None and obj.is_superuser and not request.user.is_superuser:
            return False
        return super().has_change_permission(request, obj)

Testing

Trying to edit the superuser account as a staff member with the API: 1

Trying to delete the superuser account as a staff member with the API: 2

Trying to edit or delete the superuser account as a staff member with the Admin site: 3

The "delete" button is not showing and the fields are read-only.