only superuser can set the superuser flag

accounts/forms.py

@@ -4,17 +4,11 @@ from django.forms.widgets import PasswordInput
 from accounts.models import *
 
 
-__all__ = ['UserForm', 'UserFormWithoutUsername', 'ProfileForm', 'GroupForm', 'TeamForm']
+__all__ = ['ProfileForm', 'GroupForm', 'TeamForm']
 
 
-user_fields=['first_name', 'last_name', 'email', 'notifications']
-
-UserForm = modelform_factory(User,
-        fields=['username']+user_fields+['is_superuser'])
-UserFormWithoutUsername = modelform_factory(User,
-        fields=user_fields+['is_superuser'])
 ProfileForm = modelform_factory(User,
-        fields=user_fields)
+        fields=['first_name', 'last_name', 'email', 'notifications'])
 GroupForm = modelform_factory(Group,
         fields=['name'])
 TeamForm = modelform_factory(Team,

accounts/views.py

@@ -7,6 +7,7 @@ from django.db.models import Q
 from django.core.exceptions import ObjectDoesNotExist
 from django.conf import settings
 from django.contrib.auth.forms import PasswordChangeForm
+from django.forms.models import modelform_factory
 from django import VERSION
 
 from django.http import Http404, HttpResponse
@@ -82,14 +83,19 @@ def user_details(request, user):
 @project_perm_required('manage_accounts')
 def user_edit(request, user=None):
 
+    fields = []
     if user:
         user = get_object_or_404(User, id=user)
-        if settings.EXTERNAL_AUTH:
-            form = UserFormWithoutUsername(request.POST or None, instance=user)
+        if not settings.EXTERNAL_AUTH:
+            fields += ['username']
     else:
+        fields += ['username']
+    fields += ['first_name', 'last_name', 'email', 'notifications']
+    if request.user.is_superuser:
+        fields += ['is_superuser']
+
+    UserForm = modelform_factory(User, fields=fields)
     form = UserForm(request.POST or None, instance=user)
-    else:
-        form = UserForm(request.POST or None)
 
     if request.method == 'POST' and form.is_valid():
         newuser = form.save()