Skip to content

feanil/teak limited staff fix #37772

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
feanil merged 1 commit into from
Dec 18, 2025
Merged

feanil/teak limited staff fix #37772

feanil merged 1 commit into from
Dec 18, 2025
+70 −3

Conversation

@feanil
Copy link
Contributor

@feanil feanil commented Dec 16, 2025
edited
Loading

Teak backport of GHSA-rh64-vc2h-7wfj

@feanil
fix: CourseLimitedStaffRole should not be able to access studio.
ea63816 
We previously fixed this when the CourseLimitedStaffRole was applied to
a course but did not handle the case where the role is applied to a user
for a whole org.  The underlying issue is that the CourseLimitedStaffRole
is a subclass of the CourseStaffRole and much of the system assumes that
subclesses are for giving more access not less access.

To prevent that from happening for the case of the CourseLimitedStaffRole,
when we do CourseStaffRole access checks, we use the strict_role_checking
context manager to ensure that we're not accidentally granting the
limited_staff role too much access.
@feanil feanil changed the base branch from master to release/teak December 16, 2025 16:57
@feanil feanil requested review from bmtcril and ormsbee December 16, 2025 18:58
@feanil feanil merged commit bfdbcd5 into release/teak Dec 18, 2025
5 checks passed
@feanil feanil deleted the feanil/teak_limited_staff_fix branch December 18, 2025 15:32
@ahmed-arb ahmed-arb mentioned this pull request Dec 19, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bmtcril bmtcril bmtcril approved these changes

@kdmccormick kdmccormick Awaiting requested review from kdmccormick

@farhan farhan Awaiting requested review from farhan

@irtazaakram irtazaakram Awaiting requested review from irtazaakram

@salman2013 salman2013 Awaiting requested review from salman2013

@ormsbee ormsbee Awaiting requested review from ormsbee

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@feanil @bmtcril