fix: CourseLimitedStaffRole should not be able to access studio.#65
Merged
timmc-edx merged 1 commit intorelease-ulmofrom Dec 17, 2025
Merged
fix: CourseLimitedStaffRole should not be able to access studio.#65timmc-edx merged 1 commit intorelease-ulmofrom
timmc-edx merged 1 commit intorelease-ulmofrom
Conversation
We previously fixed this when the CourseLimitedStaffRole was applied to a course but did not handle the case where the role is applied to a user for a whole org. The underlying issue is that the CourseLimitedStaffRole is a subclass of the CourseStaffRole and much of the system assumes that subclesses are for giving more access not less access. To prevent that from happening for the case of the CourseLimitedStaffRole, when we do CourseStaffRole access checks, we use the strict_role_checking context manager to ensure that we're not accidentally granting the limited_staff role too much access.
There was a problem hiding this comment.
Pull request overview
This PR fixes a security issue where users with the CourseLimitedStaffRole assigned at the organization level could gain unintended Studio/CMS access. The underlying problem is that CourseLimitedStaffRole is a subclass of CourseStaffRole, and the role inheritance system assumes subclasses have more permissions, not fewer. This fix uses the strict_role_checking() context manager to temporarily disable role inheritance when checking CourseStaffRole permissions in Studio contexts, ensuring that users with CourseLimitedStaffRole are properly restricted.
Key changes:
- Wrapped
CourseStaffRolepermission checks withstrict_role_checking()inget_user_permissions()and_accessible_courses_list_from_groups()to prevent role inheritance from granting unintended access - Added comprehensive tests for both course-level and org-level
CourseLimitedStaffRoleassignments to verify Studio access is properly denied
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| common/djangoapps/student/auth.py | Adds strict_role_checking() wrapper around CourseStaffRole permission check in get_user_permissions() to prevent CourseLimitedStaffRole from inheriting studio permissions |
| cms/djangoapps/contentstore/views/course.py | Applies strict_role_checking() when retrieving courses accessible to staff users in _accessible_courses_list_from_groups() to prevent limited staff from listing courses |
| common/djangoapps/student/tests/test_authz.py | Adds test case for org-level CourseLimitedStaffRole to verify no Studio access is granted in CMS context |
| cms/djangoapps/contentstore/tests/test_course_listing.py | Adds tests for both course-level and org-level CourseLimitedStaffRole to ensure users cannot list courses in Studio |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| number=course_location.course, | ||
| run=course_location.run | ||
| ) | ||
| course = CourseOverviewFactory.create(id=course_location, org=course_location.org) |
There was a problem hiding this comment.
Variable course is not used.
Suggested change
| course = CourseOverviewFactory.create(id=course_location, org=course_location.org) | |
| CourseOverviewFactory.create(id=course_location, org=course_location.org) |
timmc-edx
approved these changes
Dec 17, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
We previously fixed this when the CourseLimitedStaffRole was applied to a course but did not handle the case where the role is applied to a user for a whole org. The underlying issue is that the CourseLimitedStaffRole is a subclass of the CourseStaffRole and much of the system assumes that subclesses are for giving more access not less access.
To prevent that from happening for the case of the CourseLimitedStaffRole, when we do CourseStaffRole access checks, we use the strict_role_checking context manager to ensure that we're not accidentally granting the limited_staff role too much access.
Note
This change was cherry-picked from openedx/edx-platform.