Restrict staff servicing org perms to non-POST requests #5620
Conversation
| self.user: True, | ||
| self.admin: True, | ||
| self.admin2: False, | ||
| self.customer_support: True, |
There was a problem hiding this comment.
staff servicing perms now happens at view level only and not in User.has_org_perm which this is testing
| # only editors and administrators can use API tokens | ||
| if role not in APIToken.ALLOWED_ROLES: | ||
| # only editors, administrators and servicing staff can use API tokens | ||
| if role not in APIToken.ALLOWED_ROLES and not request.user.is_staff: |
There was a problem hiding this comment.
because org.get_user_role no longer fakes an Admin role for staff
There was a problem hiding this comment.
@ericnewcomer @norkans7 we should maybe stop relying on staff API tokens for dashboards.. we could have a special U-Report account which we add to workspaces instead.
| @@ -42,10 +42,6 @@ def __call__(self, request): | |||
| assert hasattr(request, "user"), "must be called after django.contrib.auth.middleware.AuthenticationMiddleware" | |||
|
|
|||
| request.org = self.determine_org(request) | |||
| if request.org: | |||
| # set our current role for this org | |||
| request.role = request.org.get_user_role(request.user) | |||
There was a problem hiding this comment.
doesn't appear to be used anywhere....
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #5620 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 560 560
Lines 25755 25752 -3
=========================================
- Hits 25755 25752 -3 ☔ View full report in Codecov by Sentry. |
No description provided.