Prevent non-superusers from modifying site settings
Review Request #8330 — Created Aug. 15, 2016 and submitted — Latest diff uploaded
Previously, any staff member (superuser or non-superuser) could change
any of the site settings. We now prevent all non-superuser staff members
from accessing site settings views so that they cannot. A new decorator
(similar to Django'sstaff_member_required) has been added to
accomplish this.
- Manually verified that superusers can still change settings.
- Manually verified that non-superusers are shown a permission denied
page. - Manually verified that unauthenticated users are shown a login form.
Diff Revision 2
This is not the most recent revision of the diff. The latest diff is revision 3. See what's changed.
orig
1
2
3
| reviewboard/admin/decorators.py |
|---|
| reviewboard/admin/views.py |
|---|
| reviewboard/static/rb/css/pages/admin.less |
|---|
| reviewboard/templates/admin/permission_denied.html |
|---|