search

openedx / public-engineering

General public issue repository for the Open edX engineering community
3 stars 1 forks source link

Staff Permission vanishes #241

Closed ichintanjoshi closed 1 month ago

ichintanjoshi commented 4 months ago

Description

If a user has staff permission in django admin (different compared to studio staff or course staff permission). And they visit the studio and go to any course that is not created by them, after that if they go to Content dropdown -> Pages & Resources they'll get an error and their staff permission in django admin vanishes.

Step To Reproduce

  1. Go to Studio as Admin

  2. Create a course

  3. Sign up as new user in incognito tab

  4. Back to admin user, activate the user and give staff permission image

  5. Go back to incognito tab with new user signed in and go to studio image

  6. Select the course created by studio

  7. Click on "Content" Dropdown image

  8. Click on "Pages & Resources"

  9. It'll show an error image

  10. Back to admin user and check the user in admin panel, we see that staff permission is gone. image

(NOTE:- This issue will not occur if the user is present in the system and has staff permission already, it only occurs for users who are not present at the time of course creation or do not have staff permission at the time of creation)

Expected Result

Newly created users with staff permission should be able to see the page like following

image

Workaround

Specs

This issue is raised after enquiring in slack about where to raise the issue. This issue is raised as a result of discussion on this thread. Please let me know if this is not the correct place for creating the issue.

arbrandes commented 4 months ago

@ichintanjoshi, has this been reproduced on master? If not, which released version?

ichintanjoshi commented 4 months ago

@arbrandes sorry I forgot to add those details, No I haven't tested it on master. Will take a look if tutor works with master

This was done on Tutor: 16.x.x and 17.0.0 and 17.0.1 Open edX: palm and quince.1

arbrandes commented 4 months ago

Tutor certainly does work with master, but you have to install its nightly branches manually. See https://docs.tutor.edly.io/tutorials/nightly.html.

ichintanjoshi commented 3 months ago

Hi @arbrandes yes this also gets reproduced in master

manja-o commented 3 months ago

Hi, @arbrandes Could you please provide me with an update on the progress for that issue if any?

ormsbee commented 1 month ago

This was fixed as part of a security fix. Please see https://discuss.openedx.org/t/upcoming-security-fix-for-edx-platform-on-2024-05-17/13004/2 for the post and details linked off of it.