Change Details

# Problem Tracker contains some `user.is_staff` checks, which can expose some information even to admins with no permission to see it. Example of this is in `viewsets.py`. or `importcsv`/`export` in `views.py`. # Proposed solution Please fix one occurance of this bug. Student is expected to send a patch for `wikimedia-cz/tracker` repository, hosted at Wikimedia Gerrit. When claiming task on GCI website, student should claim a respective Phabricator task as well. # Materials * [Tracker in production](https://tracker.wikimedia.cz) * [Test Tracker version](https://tracker2.wikimedia.cz) - you can play with Tracker freely here * [Codebase](https://gerrit.wikimedia.org/r/admin/projects/wikimedia-cz/tracker)

# Problem Tracker contains some `user.is_staff` checks, which can expose some information even to admins with no permission to see it. Example of this is in `viewsets.py`. or `importcsv`/`export` in `views.py`. This is problematic because user who is a staff can have zero permissions assigned, and thus, actually have no advanced permissions. # Proposed solution Please fix one occurance of this bug. You should use your own judgement if a new permission would be appropriate, or if one of Django default permissions can be reused. Student is expected to send a patch for `wikimedia-cz/tracker` repository, hosted at Wikimedia Gerrit. When claiming task on GCI website, student should claim a respective Phabricator task as well. # Materials * [Tracker in production](https://tracker.wikimedia.cz) * [Test Tracker version](https://tracker2.wikimedia.cz) - you can play with Tracker freely here * [Codebase](https://gerrit.wikimedia.org/r/admin/projects/wikimedia-cz/tracker)

# Problem Tracker contains some `user.is_staff` checks, which can expose some information even to admins with no permission to see it. Example of this is in `viewsets.py`. or `importcsv`/`export` in `views.py`. This is problematic because user who is a staff can have zero permissions assigned, and thus, actually have no advanced permissions. # Proposed solution Please fix one occurance of this bug. You should use your own judgement if a new permission would be appropriate, or if one of Django default permissions can be reused. Student is expected to send a patch for `wikimedia-cz/tracker` repository, hosted at Wikimedia Gerrit. When claiming task on GCI website, student should claim a respective Phabricator task as well. # Materials * [Tracker in production](https://tracker.wikimedia.cz) * [Test Tracker version](https://tracker2.wikimedia.cz) - you can play with Tracker freely here * [Codebase](https://gerrit.wikimedia.org/r/admin/projects/wikimedia-cz/tracker)