Task creation/modification in the admin is a huge security hole

[olivierdalang]

Thanks for picking up django-q !!

There's a serious issue that I reported in the original repo: https://github.com/Koed00/django-q/issues/371

TLDR: admin integration allows privileged users to run arbitrary python code, which is some pretty serious privilege escalation, but in the discussion it didn't seem to bother contributors/maintainers.

Now that this project was picked up by different people, maybe we can revisit this ?

The propose solutions was to disable creation/modification through the admin by default, add a setting to allow it, and clearly document the risk next to that setting's doc.

[GDay]

Thanks for creating the issue. I hadn't come across this yet in the original repo.

I would consider this a very low risk, high impact vulnerability. Someone gaining access to the admin panel is already a very serious issue, as they could alter/delete data. Having access to the django-q2 scheduling option can make things worse by running code execution.

The propose solutions was to disable creation/modification through the admin by default, add a setting to allow it, and clearly document the risk next to that setting's doc.

I am happy to implement this (or someone else can do it as it will take some time before I get to this), but I don't think setting the default to disable is a good idea right now. A lot of people don't read changelogs/release notes, so I would rather not change any defaults unless absolutely necessary. Adding the setting to the example config in the install documentation would be a good idea, so people will have this disabled by default.