Skip to content

fix: give superusers all studio permissions [BB-7481] #32569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
0x29a wants to merge 1 commit into from
Closed

fix: give superusers all studio permissions [BB-7481] #32569

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion common/djangoapps/student/roles.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ class GlobalStaff(AccessRole):
The global staff role
"""
def has_user(self, user):
return bool(user and user.is_staff)
return bool(user and (user.is_superuser or user.is_staff))
Copy link
Contributor

@bradenmacdonald bradenmacdonald Nov 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Conceptually, "global staff" and "super user" are two different roles. I don't think that this PR is helpful, because it says that "superusers have the global staff role", which I don't think is true.

There are two root problems and IMHO we should try to fix one of the root problems if we're going to be fixing something here:

  1. The django is_staff flag is meant to indicate whether the user has access to the django admin. It is not meant to be used for other things like indicating some openedx-specific "global staff" role that grants all kinds of other permissions. A new is_global_staff flag should be created to separate this role from the "has django admin access" role. (This is very similar to how the is_active flag is supposed to enabled/disable accounts, but is instead used to track email activation, which causes a number of bugs and requires workarounds throughout the system.)
  2. Somewhere, the code to check "can this user access Studio" is implemented wrong. It should only be checking for a permission, and any permissions check will always return True for superusers. But instead, it's hard-coded to check for specific roles like "global staff", which is why the superuser role is seemingly not granting the permission.

CC @hsinkoff


def add_users(self, *users):
for user in users:
Expand Down