Skip to content

fix: CourseLimitedStaffRole should not be able to access studio. #311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DeimerM wants to merge 1 commit into
base: ednx-release/teak.master
Choose a base branch
from
Open

fix: CourseLimitedStaffRole should not be able to access studio. #311

DeimerM wants to merge 1 commit into from

Conversation

@DeimerM
Copy link

@DeimerM DeimerM commented Dec 24, 2025

This is a backport from the following commit: openedx@ea63816

If you want to read farther information, you can refer to the following security issue: GHSA-rh64-vc2h-7wfj

@feanil @DeimerM
fix: CourseLimitedStaffRole should not be able to access studio.
461788b 
We previously fixed this when the CourseLimitedStaffRole was applied to
a course but did not handle the case where the role is applied to a user
for a whole org.  The underlying issue is that the CourseLimitedStaffRole
is a subclass of the CourseStaffRole and much of the system assumes that
subclesses are for giving more access not less access.

To prevent that from happening for the case of the CourseLimitedStaffRole,
when we do CourseStaffRole access checks, we use the strict_role_checking
context manager to ensure that we're not accidentally granting the
limited_staff role too much access.
@DeimerM DeimerM requested a review from a team December 24, 2025 21:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DeimerM @feanil