All,
-- Curious what people think about more thought and control going into who can run the createsuperuser method?
For example say there's models that I don't want anyone to touch except myself as a superuser. Is it not plausible that even if I make a Django Group around that model that someone could still run createsuperuser and give themselves the ability to have full control?
Wouldn't it make sense if some random developer were to run createsuperuser using django settings with any of the databases (as an example) that it prevent them if say that email isn't on say an internal list in the django admin of approved potential users?
I see something like this being a good idea to prevent just anyone from getting full control over the site without it being specifically provided.
Maybe there's something I'm missing something but been reading about third party options and more about what's there and I just feel there's a hole when it comes to who can create a super user account. Obviously you could have a script that you run to initialize who is a super user, what the groups are etc, but then you're basically recording personal information somewhere when that should only be typed in.
Open to ideas and thoughts, mostly just curious what could be a good answer.
Best,
JJ
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/f8e18aa2-becb-4c06-bc6b-397652332602%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment