Change: restrict altering and creation of superusers to superusers only (#8837)

2025-10-04 01:52:42 -05:00 · 2025-01-20 11:57:22 -08:00
parent 475c231c6f
commit 41bcc12cc2
7 changed files with 194 additions and 1 deletions
--- a/src/documents/tests/test_admin.py
+++ b/src/documents/tests/test_admin.py
@@ -1,4 +1,7 @@
+import types
+
 from django.contrib.admin.sites import AdminSite
+from django.contrib.auth.models import User
 from django.test import TestCase
 from django.utils import timezone

@@ -6,6 +9,7 @@ from documents import index
 from documents.admin import DocumentAdmin
 from documents.models import Document
 from documents.tests.utils import DirectoriesMixin
+from paperless.admin import PaperlessUserAdmin


 class TestDocumentAdmin(DirectoriesMixin, TestCase):
@@ -64,3 +68,22 @@ class TestDocumentAdmin(DirectoriesMixin, TestCase):
            created=timezone.make_aware(timezone.datetime(2020, 4, 12)),
        )
        self.assertEqual(self.doc_admin.created_(doc), "2020-04-12")
+
+
+class TestPaperlessAdmin(DirectoriesMixin, TestCase):
+    def setUp(self) -> None:
+        super().setUp()
+        self.user_admin = PaperlessUserAdmin(model=User, admin_site=AdminSite())
+
+    def test_only_superuser_can_change_superuser(self):
+        non_superuser = User.objects.create(username="requestuser")
+        user = User.objects.create(username="test", is_superuser=False)
+
+        data = {"is_superuser": True}
+        form = self.user_admin.form(data, instance=user)
+        form.request = types.SimpleNamespace(user=non_superuser)
+        self.assertFalse(form.is_valid())
+        self.assertEqual(
+            form.errors.get("__all__"),
+            ["Superuser status can only be changed by a superuser"],
+        )