Closed ichintanjoshi closed 1 month ago
@ichintanjoshi, has this been reproduced on master
? If not, which released version?
@arbrandes sorry I forgot to add those details, No I haven't tested it on master
. Will take a look if tutor works with master
This was done on Tutor: 16.x.x and 17.0.0 and 17.0.1 Open edX: palm and quince.1
Tutor certainly does work with master, but you have to install its nightly
branches manually. See https://docs.tutor.edly.io/tutorials/nightly.html.
Hi @arbrandes yes this also gets reproduced in master
Hi, @arbrandes Could you please provide me with an update on the progress for that issue if any?
This was fixed as part of a security fix. Please see https://discuss.openedx.org/t/upcoming-security-fix-for-edx-platform-on-2024-05-17/13004/2 for the post and details linked off of it.
Description
If a user has
staff
permission in django admin (different compared to studio staff or course staff permission). And they visit the studio and go to any course that is not created by them, after that if they go to Content dropdown -> Pages & Resources they'll get an error and their staff permission in django admin vanishes.Step To Reproduce
Go to Studio as Admin
Create a course
Sign up as new user in incognito tab
Back to admin user, activate the user and give staff permission![image](https://github.com/openedx/public-engineering/assets/22208656/c4b89d52-0d10-4022-a44e-d2634c59d6df)
Go back to incognito tab with new user signed in and go to studio![image](https://github.com/openedx/public-engineering/assets/22208656/c91dda9e-a381-4377-913c-84dfddbe6306)
Select the course created by studio
Click on "Content" Dropdown![image](https://github.com/openedx/public-engineering/assets/22208656/32722d3d-b0f0-45b0-b37b-7fa585e52205)
Click on "Pages & Resources"
It'll show an error![image](https://github.com/openedx/public-engineering/assets/22208656/79e5e248-9ad1-4a29-b28a-e3e6616f38d6)
Back to admin user and check the user in admin panel, we see that staff permission is gone.![image](https://github.com/openedx/public-engineering/assets/22208656/03350255-2d6f-45a8-822e-f922b3b74e94)
(NOTE:- This issue will not occur if the user is present in the system and has staff permission already, it only occurs for users who are not present at the time of course creation or do not have staff permission at the time of creation)
Expected Result
Newly created users with staff permission should be able to see the page like following
Workaround
Specs
This issue is raised after enquiring in slack about where to raise the issue. This issue is raised as a result of discussion on this thread. Please let me know if this is not the correct place for creating the issue.