django admin permissions - can edit user but can't edit his permissons - how to do it?

Question

I gave the editors such permissions:

• auth | user | can add/change user - ON

• auth | permissions | can add/change permissions - OFF

Still, when editing, they can change their permissions (and allow themselves actions they shouldn't do). I've found a ticket from 2yrs ago: http://code.djangoproject.com/ticket/6519 and it still works this way.

How to allow user edition (email, passwords, etc..) but block permissions change?

Answer 1

Your current approach isn't going to work I'm afraid.

From the Django docs:

If you have permission to add users, you have the power to create superusers, which can then, in turn, change other users.

So if you manage to block the editors from changing permissions, it will not help, because they could still create superusers that can.