Is it safe to grant "auth | User | Can change user" permissions without the "is staff" flag?

Question

I need certain users to edit django.contrib.auth.models.User objects.

My first thought was to grant them the auth | User | Can change user permission and flag them as is staff, so they can log into the Django Admin site. The problem is though, that they can use that to make themselves super admins.

Since I want them to only be able to edit certain fields, I created a very limited view for that. What's left for me to do, is to actually grant permission on that view to that subset of users. The only solution I found was to still grant them the auth | User | Can change user permission (without making them staff).

My question is this:

If I use the @permission_required decorator on that view in cooperation with the auth | User | Can change user permission, is there any other way for the users to hack their way into granting themselves the super admin role (even assuming the user is a advanced Django programmer)? I am talking about things like e. g. API calls I am unaware of, or similar.

I want to take possible mistakes in my code out of the scope here.

Answer 1

It might be better to create a custom permission e.g. 'can_change_user_restricted', and check for that permission in your custom view.

Then you don't need to worry that in future another view/api might be added, or the is_staff flag might be set, and suddenly the user can make themselves a superuser.

Answer 2

IMHO, Yes it is very safe to use your own type/create any type of custom fields on User.

In one of our project, we had added 2-3 types of admin users and it was pretty secure. We had added Maintainer, Administrator, SuperUser and two types of end user (that was requirement). We had done many customization in Django Admin as well to list all types of groups and user in the Django Admin.

JFYI we had not provided access to Django Admin to the customers, we had provided SuperUser login to create any type of User to access our tool.