Change: restrict altering and creation of superusers to superusers only (#8837)

2025-08-07 19:08:32 -05:00 · 2025-01-20 11:57:22 -08:00
parent 475c231c6f
commit 41bcc12cc2
7 changed files with 194 additions and 1 deletions
--- a/src/paperless/admin.py
+++ b/src/paperless/admin.py
@@ -0,0 +1,53 @@
+from django import forms
+from django.contrib import admin
+from django.contrib.auth.admin import UserAdmin
+from django.contrib.auth.models import User
+
+
+class PaperlessUserForm(forms.ModelForm):
+    """
+    Custom form for the User model that adds validation to prevent non-superusers
+    from changing the superuser status of a user.
+    """
+
+    class Meta:
+        model = User
+        fields = [
+            "username",
+            "first_name",
+            "last_name",
+            "email",
+            "is_staff",
+            "is_active",
+            "is_superuser",
+            "groups",
+            "user_permissions",
+        ]
+
+    def clean(self):
+        cleaned_data = super().clean()
+        user_being_edited = self.instance
+        is_superuser = cleaned_data.get("is_superuser")
+
+        if (
+            not self.request.user.is_superuser
+            and is_superuser != user_being_edited.is_superuser
+        ):
+            raise forms.ValidationError(
+                "Superuser status can only be changed by a superuser",
+            )
+
+        return cleaned_data
+
+
+class PaperlessUserAdmin(UserAdmin):
+    form = PaperlessUserForm
+
+    def get_form(self, request, obj=None, **kwargs):
+        form = super().get_form(request, obj, **kwargs)
+        form.request = request
+        return form
+
+
+admin.site.unregister(User)
+admin.site.register(User, PaperlessUserAdmin)
--- a/src/paperless/views.py
+++ b/src/paperless/views.py
@@ -109,6 +109,25 @@ class UserViewSet(ModelViewSet):
    filterset_class = UserFilterSet
    ordering_fields = ("username",)

+    def create(self, request, *args, **kwargs):
+        if not request.user.is_superuser and request.data.get("is_superuser") is True:
+            return HttpResponseForbidden(
+                "Superuser status can only be granted by a superuser",
+            )
+        return super().create(request, *args, **kwargs)
+
+    def update(self, request, *args, **kwargs):
+        user_to_update: User = self.get_object()
+        if (
+            not request.user.is_superuser
+            and request.data.get("is_superuser") is not None
+            and request.data.get("is_superuser") != user_to_update.is_superuser
+        ):
+            return HttpResponseForbidden(
+                "Superuser status can only be changed by a superuser",
+            )
+        return super().update(request, *args, **kwargs)
+
    @action(detail=True, methods=["post"])
    def deactivate_totp(self, request, pk=None):
        request_user = request.user