Tracker contains some user.is_staff checks, which can expose some information even to admins with no permission to see it. Example of this is in viewsets.py. or importcsv/export in views.py. This is problematic because user who is a staff can have zero permissions assigned, and thus, actually have no advanced permissions.
Please fix one occurance of this bug. You should use your own judgement if a new permission would be appropriate, or if one of Django default permissions can be reused.
Student is expected to send a patch for wikimedia-cz/tracker repository, hosted at Wikimedia Gerrit. When claiming task on GCI website, student should claim a respective Phabricator task as well.