Prevent staff members from gaining additional permissions
Situation
The admin site is used to perform all kind of administrative tasks. A user needs to have at least staff status to be able to access it. In addition he needs to have the appropriate permission to perform any action on the admin site, for reading or changing objects. That way it is possible to define sub-admins, that have limited access. But can still perform many day-to-day admin tasks. Thus the superuser can delegate that work load to sub-admins.
Problem
However, this does not really work for User, Groups, States. Anyone with change access to those areas will also be able to grant himself any additional permission, e.g. via user or groups. The dilemma here is that those are normally the tasks that occur most often, e.g. create a new group.
Solution
For now superusers should be careful with giving staff members write permission to users, Groups or States.
A possible solution would be to restrict write access to permissions to superusers only. That way most actions on those models could still be performed.