fix: CourseLimitedStaffRole should not be able to access studio.

We previously fixed this when the CourseLimitedStaffRole was applied to a course but did not handle the case where the role is applied to a user for a whole org. The underlying issue is that the CourseLimitedStaffRole is a subclass of the CourseStaffRole and much of the system assumes that subclesses are for giving more access not less access. To prevent that from happening for the case of the CourseLimitedStaffRole, when we do CourseStaffRole access checks, we use the strict_role_checking context manager to ensure that we're not accidentally granting the limited_staff role too much access.
2025-12-11 11:18:06 -05:00
parent 6a046ebe50
commit f2bb6cb2e6
4 changed files with 70 additions and 3 deletions
--- a/common/djangoapps/student/auth.py
+++ b/common/djangoapps/student/auth.py
@@ -24,6 +24,7 @@ from common.djangoapps.student.roles import (
    OrgInstructorRole,
    OrgLibraryUserRole,
    OrgStaffRole,
+    strict_role_checking,
 )

 # Studio permissions:
@@ -115,8 +116,9 @@ def get_user_permissions(user, course_key, org=None, service_variant=None):
            return STUDIO_NO_PERMISSIONS

    # Staff have all permissions except EDIT_ROLES:
-    if OrgStaffRole(org=org).has_user(user) or (course_key and user_has_role(user, CourseStaffRole(course_key))):
-        return STUDIO_VIEW_USERS | STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT
+    with strict_role_checking():
+        if OrgStaffRole(org=org).has_user(user) or (course_key and user_has_role(user, CourseStaffRole(course_key))):
+            return STUDIO_VIEW_USERS | STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT

    # Otherwise, for libraries, users can view only:
    if course_key and isinstance(course_key, LibraryLocator):
--- a/common/djangoapps/student/tests/test_authz.py
+++ b/common/djangoapps/student/tests/test_authz.py
@@ -11,6 +11,7 @@ from django.core.exceptions import PermissionDenied
 from django.test import TestCase, override_settings
 from opaque_keys.edx.locator import CourseLocator

+from common.djangoapps.student.models.user import CourseAccessRole
 from common.djangoapps.student.auth import (
    add_users,
    has_studio_read_access,
@@ -305,6 +306,23 @@ class CourseGroupTest(TestCase):
        assert not has_studio_read_access(self.limited_staff, self.course_key)
        assert not has_studio_write_access(self.limited_staff, self.course_key)

+    @override_settings(SERVICE_VARIANT='cms')
+    def test_limited_org_staff_no_studio_access_cms(self):
+        """
+        Verifies that course limited staff have no read and no write access when SERVICE_VARIANT is not 'lms'.
+        """
+        # Add a user as course_limited_staff on the org
+        # This is not possible using the course roles classes but is possible via Django admin so we
+        # insert a row into the model directly to test that scenario.
+        CourseAccessRole.objects.create(
+            user=self.limited_staff,
+            org=self.course_key.org,
+            role=CourseLimitedStaffRole.ROLE,
+        )
+
+        assert not has_studio_read_access(self.limited_staff, self.course_key)
+        assert not has_studio_write_access(self.limited_staff, self.course_key)
+

 class CourseOrgGroupTest(TestCase):
    """