From 1744428dd0878fffb481c0bfe6b441ff488b15aa Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Mon, 20 Jan 2025 10:50:04 -0800
Subject: [PATCH] Also disable via admin

---
 src/documents/tests/test_admin.py | 23 +++++++++++++++
 src/paperless/admin.py            | 48 +++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 src/paperless/admin.py

diff --git a/src/documents/tests/test_admin.py b/src/documents/tests/test_admin.py
index a32a31adf..3f27c80f3 100644
--- a/src/documents/tests/test_admin.py
+++ b/src/documents/tests/test_admin.py
@@ -1,4 +1,7 @@
+import types
+
 from django.contrib.admin.sites import AdminSite
+from django.contrib.auth.models import User
 from django.test import TestCase
 from django.utils import timezone
 
@@ -6,6 +9,7 @@ from documents import index
 from documents.admin import DocumentAdmin
 from documents.models import Document
 from documents.tests.utils import DirectoriesMixin
+from paperless.admin import PaperlessUserAdmin
 
 
 class TestDocumentAdmin(DirectoriesMixin, TestCase):
@@ -64,3 +68,22 @@ class TestDocumentAdmin(DirectoriesMixin, TestCase):
             created=timezone.make_aware(timezone.datetime(2020, 4, 12)),
         )
         self.assertEqual(self.doc_admin.created_(doc), "2020-04-12")
+
+
+class TestPaperlessAdmin(DirectoriesMixin, TestCase):
+    def setUp(self) -> None:
+        super().setUp()
+        self.user_admin = PaperlessUserAdmin(model=User, admin_site=AdminSite())
+
+    def test_only_superuser_can_change_superuser(self):
+        non_superuser = User.objects.create(username="requestuser")
+        user = User.objects.create(username="test", is_superuser=False)
+
+        data = {"is_superuser": True}
+        form = self.user_admin.form(data, instance=user)
+        form.request = types.SimpleNamespace(user=non_superuser)
+        self.assertFalse(form.is_valid())
+        self.assertEqual(
+            form.errors.get("__all__"),
+            ["Superuser status can only be changed by a superuser"],
+        )
diff --git a/src/paperless/admin.py b/src/paperless/admin.py
new file mode 100644
index 000000000..0ff506fe1
--- /dev/null
+++ b/src/paperless/admin.py
@@ -0,0 +1,48 @@
+from django import forms
+from django.contrib import admin
+from django.contrib.auth.admin import UserAdmin
+from django.contrib.auth.models import User
+
+
+class PaperlessUserForm(forms.ModelForm):
+    class Meta:
+        model = User
+        fields = [
+            "username",
+            "first_name",
+            "last_name",
+            "email",
+            "is_staff",
+            "is_active",
+            "is_superuser",
+            "groups",
+            "user_permissions",
+        ]
+
+    def clean(self):
+        cleaned_data = super().clean()
+        user_being_edited = self.instance
+        is_superuser = cleaned_data.get("is_superuser")
+
+        if (
+            not self.request.user.is_superuser
+            and is_superuser != user_being_edited.is_superuser
+        ):
+            raise forms.ValidationError(
+                "Superuser status can only be changed by a superuser",
+            )
+
+        return cleaned_data
+
+
+class PaperlessUserAdmin(UserAdmin):
+    form = PaperlessUserForm
+
+    def get_form(self, request, obj=None, **kwargs):
+        form = super().get_form(request, obj, **kwargs)
+        form.request = request
+        return form
+
+
+admin.site.unregister(User)
+admin.site.register(User, PaperlessUserAdmin)