Monday, April 29, 2019

Re: More controls on createsuperuser

I've have to agree that any attempt to limit superuser creation through manage.py is wrong solution to wrong problem.

Even it's possible to attempt it it is as easy to circumvent. 

So do not give an access to manage.py to users that are not supposed to. Problem solved for good.

ma 29. huhtik. 2019 klo 21.04 <nimbiotics@gmail.com> kirjoitti:
Anyone capable of running the createsuperuser command on your project most probably has access to all and any of the project's files, specially your config file.

Actually this user is either a valid su or you are in serious trouble because the security of your server sucks or you gave access to your project to the wrong person.

So, no I don't think there is any point in doing so. Not because it can't be done but because it is both trivially useless.and uselessly trivial.



On Sunday, April 28, 2019 at 11:24:57 PM UTC-4, JJ Zolper wrote:
All,

Curious what people think about more thought and control going into who can run the createsuperuser method?

For example say there's models that I don't want anyone to touch except myself as a superuser. Is it not plausible that even if I make a Django Group around that model that someone could still run createsuperuser and give themselves the ability to have full control?

Wouldn't it make sense if some random developer were to run createsuperuser using django settings with any of the databases (as an example) that it prevent them if say that email isn't on say an internal list in the django admin of approved potential users?

I see something like this being a good idea to prevent just anyone from getting full control over the site without it being specifically provided.

Maybe there's something I'm missing something but been reading about third party options and more about what's there and I just feel there's a hole when it comes to who can create a super user account. Obviously you could have a script that you run to initialize who is a super user, what the groups are etc, but then you're basically recording personal information somewhere when that should only be typed in.

Open to ideas and thoughts, mostly just curious what could be a good answer.

Best,

JJ

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/f85e2d9b-ec2d-4814-b4d5-df137bf8a883%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAHn91oeeEhnsdrWfur0pV-%2B-BGU_mT70fbbmc7qFM1SwB3Df%2Bg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment