Skip to content

fix: withdrawn by author#38332

Closed
kingoftech-v01 wants to merge 1 commit intoopenedx:masterfrom
kingoftech-v01:fix/sec-broken-permission-class
Closed

fix: withdrawn by author#38332
kingoftech-v01 wants to merge 1 commit intoopenedx:masterfrom
kingoftech-v01:fix/sec-broken-permission-class

Conversation

@kingoftech-v01
Copy link
Copy Markdown

@kingoftech-v01 kingoftech-v01 commented Apr 10, 2026
edited
Loading

Closed.

@openedx-webhooks
Copy link
Copy Markdown

openedx-webhooks commented Apr 10, 2026

Thanks for the pull request, @kingoftech-v01!

This repository is currently maintained by @openedx/wg-maintenance-openedx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.
🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads
🔘 Submit a signed contributor agreement (CLA)

⚠️ We ask all contributors to the Open edX project to submit a signed contributor agreement or indicate their institutional affiliation.
Please see the CONTRIBUTING file for more information.

If you've signed an agreement in the past, you may need to re-sign.
See The New Home of the Open edX Codebase for details.

Once you've signed the CLA, please allow 1 business day for it to be processed.
After this time, you can re-run the CLA check by adding a comment below that you have signed it.
If the CLA check continues to fail, you can tag the @openedx/cla-problems team in a comment for further assistance.

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details
Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

@openedx-webhooks openedx-webhooks added the open-source-contribution PR author is not from Axim or 2U label Apr 10, 2026
@github-project-automation github-project-automation bot moved this to Needs Triage in Contributions Apr 10, 2026
fix(api): correct IsUserInUrlOrStaff permission class to return boolean
3f2eb15 
IsUserInUrlOrStaff.has_permission returned the expression
`IsStaff | IsUserInUrl`, which under DRF 3.9+ evaluates to a composite
permission class object rather than a boolean. A class object is always
truthy, so the permission check unconditionally granted access to any
authenticated caller regardless of whether the request user matched
the username in the URL or held staff status.

The defect was introduced in PR #28663 (Oct 2021, commit 9e787a0)
when the dependency on rest_condition was removed:
`C(IsStaff) | IsUserInUrl` was replaced with `IsStaff | IsUserInUrl`
under the assumption that native DRF composition would apply, but
native composition only works at the view-level permission_classes
attribute, not inside a has_permission method body.

Exploitation was prevented in practice by a defense-in-depth check in
openedx/core/djangoapps/user_api/preferences/api.py::_check_authorized,
which independently rejects cross-user access. This fix restores the
intended behaviour at the DRF layer so the API no longer relies solely
on the internal check.

Instantiate IsStaff and IsUserInUrl and delegate to their
has_permission methods, OR-ing the boolean results. Adds regression
tests for staff, owner-matching, mismatched, and anonymous cases.
@github-project-automation github-project-automation bot moved this from Needs Triage to Done in Contributions Apr 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

open-source-contribution PR author is not from Axim or 2U

Projects

Contributions
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kingoftech-v01 @openedx-webhooks @kdmccormick