in my app I have one superuser and no staff users. I only have normal active users, who don’t have access to the admin gui, therefore they can’t change permissions of other users and their own permissions (that’s fine).
I have an “edit profile” page and in the form I use, there is no field that can change the permissions but I noticed that if I pass all the fields in the form (for testing purpose), the user can change permissions and set himself as superuser.
Is it enough to exclude the “permissions” fields from the form to prevent permissions escalation?
Thanks in advance,