Skip to content

fix: CourseLimitedStaffRole should not be able to access studio. #311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DeimerM merged 1 commit into from
Jan 7, 2026
Merged

fix: CourseLimitedStaffRole should not be able to access studio. #311

DeimerM merged 1 commit into from
Jan 7, 2026

Conversation

@DeimerM
Copy link

@DeimerM DeimerM commented Dec 24, 2025

This is a backport from the following commit: openedx@ea63816

If you want to read farther information, you can refer to the following security issue: GHSA-rh64-vc2h-7wfj

@feanil @DeimerM
fix: CourseLimitedStaffRole should not be able to access studio.
461788b 
We previously fixed this when the CourseLimitedStaffRole was applied to
a course but did not handle the case where the role is applied to a user
for a whole org.  The underlying issue is that the CourseLimitedStaffRole
is a subclass of the CourseStaffRole and much of the system assumes that
subclesses are for giving more access not less access.

To prevent that from happening for the case of the CourseLimitedStaffRole,
when we do CourseStaffRole access checks, we use the strict_role_checking
context manager to ensure that we're not accidentally granting the
limited_staff role too much access.
@DeimerM DeimerM requested a review from a team December 24, 2025 21:38
@magajh
Copy link

magajh commented Jan 7, 2026

@DeimerM let's please just leave in this PR the security fix (commit 461788b)
and open a new PR with the reverse of the webpack commit

@DeimerM DeimerM force-pushed the dmh/backport-limited-staff-fix branch from 944597e to 461788b Compare January 7, 2026 15:14
@DeimerM
Copy link
Author

DeimerM commented Jan 7, 2026

@DeimerM let's please just leave in this PR the security fix (commit 461788b) and open a new PR with the reverse of the webpack commit

Done!

@DeimerM DeimerM merged commit 2e2704e into ednx-release/teak.master Jan 7, 2026
94 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@magajh magajh magajh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@DeimerM @magajh @feanil