Prevent permissions escalation

Hi all,

in my app I have one superuser and no staff users. I only have normal active users, who don’t have access to the admin gui, therefore they can’t change permissions of other users and their own permissions (that’s fine).

I have an “edit profile” page and in the form I use, there is no field that can change the permissions but I noticed that if I pass all the fields in the form (for testing purpose), the user can change permissions and set himself as superuser.

Is it enough to exclude the “permissions” fields from the form to prevent permissions escalation?

Thanks in advance,

supermario18b

Yes. If the field is not in the form, and the view does not directly retrieve that data from request.POST, then there’s no data submitted for that field that would be accepted by the view.

1 Like