Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensures that only staff are allowed to assign the journal manager role #4143

Merged
merged 5 commits into from
Apr 30, 2024
Merged

Ensures that only staff are allowed to assign the journal manager role #4143

merged 5 commits into from
Apr 30, 2024

Conversation

ajrbyers
Copy link
Member

@ajrbyers ajrbyers commented Apr 30, 2024
edited
Loading

Two issues here:

  1. A bad merge had moved AccountRoleSerializer's validate method into PreprintSerializer.
  2. The enrol_users view was not filtering out the journal manager role properly.

2 would not have been a serious issue without 1, as the API would have refused to assign the role and let the non-staff user know.

Additionally, I've renamed the roles variable as it shadows a an outer scope definition.

Closes #4141

@ajrbyers ajrbyers requested a review from mauromsl April 30, 2024 09:36
@mauromsl mauromsl added this to the v1.5.3 milestone Apr 30, 2024
mauromsl
mauromsl requested changes Apr 30, 2024
View reviewed changes
Copy link
Member

@mauromsl mauromsl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed, we need a test case as with other security issues. Otherwise looks good

@ajrbyers ajrbyers requested a review from mauromsl April 30, 2024 12:10
@ajrbyers ajrbyers assigned mauromsl and unassigned ajrbyers Apr 30, 2024
@ajrbyers
Copy link
Member Author

@mauromsl test now in place. I've added an explicit kwarg to helpers.create_user for is_staff as setting this in the attr loop doesn't seem to work.

@ajrbyers ajrbyers changed the base branch from master to b_1_5_x April 30, 2024 12:47
mauromsl
mauromsl approved these changes Apr 30, 2024
View reviewed changes
Copy link
Member

@mauromsl mauromsl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some thoughts, not even comments so I'm green ticking

src/api/tests/test_api.py Show resolved Hide resolved
src/utils/testing/helpers.py Outdated Show resolved Hide resolved
@mauromsl mauromsl requested a review from joemull April 30, 2024 14:39
@mauromsl mauromsl assigned joemull and unassigned mauromsl Apr 30, 2024
@joemull joemull merged commit 202b214 into b_1_5_x Apr 30, 2024
1 check failed
@joemull joemull deleted the 4141-hotfix branch April 30, 2024 15:35
@mauromsl mauromsl mentioned this pull request May 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mauromsl mauromsl mauromsl approved these changes

@joemull joemull joemull approved these changes

Assignees

@joemull joemull

Labels
None yet
Projects
None yet
Milestone
v1.5.3
Development

Successfully merging this pull request may close these issues.

Non-staff able to assign Journal Manager role
3 participants
@ajrbyers @mauromsl @joemull