From 1518a4aeed1dc6f3c243955cb2f6d37b330c30f6 Mon Sep 17 00:00:00 2001
From: mkangia <mkangia@dimagi.com>
Date: Mon, 17 Dec 2018 15:51:23 +0530
Subject: [PATCH] avoid admin permissions to access everything as well

---
 corehq/apps/users/models.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/corehq/apps/users/models.py b/corehq/apps/users/models.py
index eae12b8e4075..54ef06ce2516 100644
--- a/corehq/apps/users/models.py
+++ b/corehq/apps/users/models.py
@@ -652,6 +652,9 @@ def has_permission(self, domain, permission, data=None, restrict_global_admin=Fa
 
         dm = self.get_domain_membership(domain)
         if dm:
+            # an admin has access to all features by default, restrict that if needed
+            if dm.is_admin and restrict_global_admin:
+                return False
             return dm.has_permission(permission, data)
         else:
             return False