Page MenuHomePhabricator
Create Task
Maniphest T237160

Remove `is_staff` checks from Tracker
Open, LowPublic
Actions

Description

Problem

Tracker contains some user.is_staff checks, which can expose some information even to admins with no permission to see it. Example of this is in viewsets.py. or importcsv/export in views.py. This is problematic because user who is a staff can have zero permissions assigned, and thus, actually have no advanced permissions.

Proposed solution

Please fix one occurance of this bug. You should use your own judgement if a new permission would be appropriate, or if one of Django default permissions can be reused.

Student is expected to send a patch for wikimedia-cz/tracker repository, hosted at Wikimedia Gerrit. When claiming task on GCI website, student should claim a respective Phabricator task as well.

Materials

Event Timeline

Urbanecm created this task.Nov 2 2019, 4:15 PM
Gopavasanth moved this task from Proposed tasks to Imported in GCI Site on the Google-Code-in-2019 board.Nov 2 2019, 4:46 PM
Gopavasanth subscribed.

Imported into GCI site here: https://codein.withgoogle.com/tasks/5265182461263872/

Urbanecm added a comment.Nov 2 2019, 5:11 PM

Thank you, Gopa, but, in the future, I'd like to import my own tasks myself.. Thanks!

Florian subscribed.Nov 2 2019, 5:50 PM

Hi,

it might relate to my missing knowledge of the codebase, however, GCI students will not have any context as well, so: Can you give a bit more context of the problem? Why is an "is_staff" check problematic and what is the expected replacement? Checking for a specific permission? Adding a new one or re-using an existing one? Once this is clarified, I would be happy to publish this task on the GCI website :)

Urbanecm added a comment.Nov 2 2019, 5:57 PM

Sure @Florian.

Urbanecm updated the task description. (Show Details)Nov 2 2019, 5:59 PM
Florian added a comment.Nov 2 2019, 6:04 PM

Awesome, thanks @Urbanecm :) I published the task!

Urbanecm moved this task from Inbox to GCI on the WMCZ-Tracker board.Nov 4 2019, 12:55 PM
Urbanecm triaged this task as Low priority.Jul 21 2020, 10:25 PM
Urbanecm added a project: good first task.Jul 21 2020, 10:27 PM
Urbanecm moved this task from GCI to Ready (PM's approval not needed) on the WMCZ-Tracker board.Jul 21 2020, 10:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL