I gave editors such permission:
-
auth | User | Users can add / change - On
-
auth | Permissions | Still, while editing, they can change their permissions (and they allow themselves to work, which they should not do).
I got a ticket from 2 years ago: and it still works like this.
How to allow user versions (email, password, etc.), but change block permissions?
Your current approach is not going to work. I'm scared.
From:
If you have permission to add users, then you have the power to create superusers, which can then, in turn, change other users.
So if you manage to block the editors by changing the permissions, it will not help, because they can still make the SuperUutter.
No comments:
Post a Comment