Change: restrict superuser modifications to superusers only

2025-11-23 23:49:08 -06:00 · 2025-10-24 16:25:59 -07:00
parent 276dc31abe
commit 63dab0ab09
2 changed files with 39 additions and 0 deletions
--- a/src/paperless/views.py
+++ b/src/paperless/views.py
@@ -125,6 +125,10 @@ class UserViewSet(ModelViewSet):

    def update(self, request, *args, **kwargs):
        user_to_update: User = self.get_object()
+        if not request.user.is_superuser and user_to_update.is_superuser:
+            return HttpResponseForbidden(
+                "Superusers can only be modified by other superusers",
+            )
        if (
            not request.user.is_superuser
            and request.data.get("is_superuser") is not None