Skip to content

Dashboard users should not be able to change their own role

Changing yourself from "admin" to "user" is one thing (that's OK for now), but being able to change yourself from "user" to "admin" should not be allowed.

Steps:

  1. Give a user "User" access to the dashboard
  2. Log into the dashboard as that user
  3. Click icon in top right -> Configure User
  4. I can now change my role from "User" to "Admin"

Note that put_user is also not protected by the is_admin decorator in the back-end. That's because "User" users are allowed to change their own name and e-mail address. They shouldn't be allowed to change their own role, though.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information