Page MenuHomePhabricator
Create Task
Maniphest T237160

Remove `is_staff` checks from Tracker
Open, LowPublic
Actions

Description

Problem

Tracker contains some user.is_staff checks, which can expose some information even to admins with no permission to see it. Example of this is in viewsets.py. or importcsv/export in views.py. This is problematic because user who is a staff can have zero permissions assigned, and thus, actually have no advanced permissions.

Proposed solution

Please fix one occurance of this bug. You should use your own judgement if a new permission would be appropriate, or if one of Django default permissions can be reused.

Student is expected to send a patch for wikimedia-cz/tracker repository, hosted at Wikimedia Gerrit. When claiming task on GCI website, student should claim a respective Phabricator task as well.

Materials

Event Timeline

Urbanecm created this task.Nov 2 2019, 4:15 PM
Gopavasanth moved this task from Proposed tasks to Imported in GCI Site on the Google-Code-in-2019 board.Nov 2 2019, 4:46 PM
Gopavasanth subscribed.

Imported into GCI site here: https://codein.withgoogle.com/tasks/5265182461263872/

Urbanecm added a comment.Nov 2 2019, 5:11 PM

Thank you, Gopa, but, in the future, I'd like to import my own tasks myself.. Thanks!

Florian subscribed.Nov 2 2019, 5:50 PM

Hi,

it might relate to my missing knowledge of the codebase, however, GCI students will not have any context as well, so: Can you give a bit more context of the problem? Why is an "is_staff" check problematic and what is the expected replacement? Checking for a specific permission? Adding a new one or re-using an existing one? Once this is clarified, I would be happy to publish this task on the GCI website :)

Urbanecm added a comment.Nov 2 2019, 5:57 PM

Sure @Florian.

Urbanecm updated the task description. (Show Details)Nov 2 2019, 5:59 PM
Florian added a comment.Nov 2 2019, 6:04 PM

Awesome, thanks @Urbanecm :) I published the task!

Urbanecm moved this task from Inbox to GCI on the WMCZ-Tracker board.Nov 4 2019, 12:55 PM
Urbanecm triaged this task as Low priority.Jul 21 2020, 10:25 PM
Urbanecm added a project: good first task.Jul 21 2020, 10:27 PM
Urbanecm moved this task from GCI to Ready (PM's approval not needed) on the WMCZ-Tracker board.Jul 21 2020, 10:28 PM
gerritbot added a comment.Aug 14 2025, 6:27 AM

Change #1178712 had a related patch set uploaded (by Vanshika11; author: Vanshika11):

[wikimedia-cz/tracker@master] T237160: Replace is_staff check with proper permission check

https://gerrit.wikimedia.org/r/1178712

gerritbot added a project: Patch-For-Review.Aug 14 2025, 6:27 AM

Change #1178713 had a related patch set uploaded (by Vanshika11; author: Vanshika11):

[wikimedia-cz/tracker@master] T237160: Replace is_staff check with proper permission check

https://gerrit.wikimedia.org/r/1178713

gerritbot added a comment.Aug 14 2025, 6:32 AM

Change #1178714 had a related patch set uploaded (by Vanshika11; author: Vanshika11):

[wikimedia-cz/tracker@master] T237160: Replace is_staff check with proper permission check

https://gerrit.wikimedia.org/r/1178714

gerritbot added a comment.Aug 14 2025, 6:41 AM

Change #1178712 abandoned by Vanshika11:

[wikimedia-cz/tracker@master] T237160: Replace is_staff check with proper permission check

Reason:

duplicate

https://gerrit.wikimedia.org/r/1178712

gerritbot added a comment.Aug 14 2025, 6:49 AM

Change #1178713 abandoned by Vanshika11:

[wikimedia-cz/tracker@master] T237160: Replace is_staff check with proper permission check

Reason:

duplicate

https://gerrit.wikimedia.org/r/1178713

Vanshika added a project: RoadToWiki.Aug 15 2025, 3:56 AM
Vanshika subscribed.
gerritbot added a comment.Aug 15 2025, 4:24 AM

Change #1179020 had a related patch set uploaded (by Vanshika11; author: Vanshika11):

[wikimedia-cz/tracker@master] T237160: Fix bug where renaming a document changes the uploader

https://gerrit.wikimedia.org/r/1179020

gerritbot added a comment.Aug 15 2025, 4:45 AM

Change #1178713 restored by Vanshika11:

[wikimedia-cz/tracker@master] T237160: Replace is_staff check with proper permission check

https://gerrit.wikimedia.org/r/1178713

Vanshika claimed this task.Aug 15 2025, 5:09 AM
gerritbot added a comment.Sep 4 2025, 8:23 PM

Change #1179020 had a related patch set uploaded (by Vanshika11; author: Vanshika11):

[wikimedia-cz/tracker@master] T237160: Fix bug where renaming a document changes the uploader

https://gerrit.wikimedia.org/r/1179020

gerritbot added a comment.Sep 13 2025, 10:18 AM

Change #1178713 had a related patch set uploaded (by Vanshika11; author: Vanshika11):

[wikimedia-cz/tracker@master] T237160: Replace is_staff check with proper permission check

https://gerrit.wikimedia.org/r/1178713

gerritbot added a comment.Sep 17 2025, 3:46 PM

Change #1178714 abandoned by Vanshika11:

[wikimedia-cz/tracker@master] T237160: Replace is_staff check with proper permission check The Problem is that currently, the code uses `is_staff` to check if a user can perform certain actions. This is not precise and may grant permissions to users who shouldn't have them.

Reason:

dupliacte

https://gerrit.wikimedia.org/r/1178714

Somyaya subscribed.Oct 4 2025, 2:07 PM

Hi! I’m a newcomer and would like to work on this task as my first contribution. Could I please be assigned?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits