Page MenuHomePhabricator

Remove `is_staff` checks from Tracker
Open, LowPublic

Description

Problem

Tracker contains some user.is_staff checks, which can expose some information even to admins with no permission to see it. Example of this is in viewsets.py. or importcsv/export in views.py. This is problematic because user who is a staff can have zero permissions assigned, and thus, actually have no advanced permissions.

Proposed solution

Please fix one occurance of this bug. You should use your own judgement if a new permission would be appropriate, or if one of Django default permissions can be reused.

Student is expected to send a patch for wikimedia-cz/tracker repository, hosted at Wikimedia Gerrit. When claiming task on GCI website, student should claim a respective Phabricator task as well.

Materials

Event Timeline

Urbanecm created this task.Nov 2 2019, 4:15 PM

Thank you, Gopa, but, in the future, I'd like to import my own tasks myself.. Thanks!

Florian added a subscriber: Florian.Nov 2 2019, 5:50 PM

Hi,

it might relate to my missing knowledge of the codebase, however, GCI students will not have any context as well, so: Can you give a bit more context of the problem? Why is an "is_staff" check problematic and what is the expected replacement? Checking for a specific permission? Adding a new one or re-using an existing one? Once this is clarified, I would be happy to publish this task on the GCI website :)

Urbanecm updated the task description. (Show Details)Nov 2 2019, 5:59 PM

Awesome, thanks @Urbanecm :) I published the task!

Urbanecm moved this task from Inbox to GCI on the WMCZ-Tracker board.Nov 4 2019, 12:55 PM
Urbanecm triaged this task as Low priority.Jul 21 2020, 10:25 PM