Impact
#32570 introduced the concept of a limited staff role. This role is meant to only access LMS related staff capabilities and should not be able to access or make any studio changes. Later, there was added a fix to allow limited staff to manage cohorts and access the gradebook #33491. As a result, the limited staff member can hit the studio APIs and make changes.
List of affected APIs:
GET Success (200-204)
Common for all pages
{{ CMS_DOMAIN }}/csrf/api/v1/token
{{ CMS_DOMAIN }}/api/contentstore/v1/help_urls
Course outline page
{{ CMS_DOMAIN }}/api/courses/v1/quality/course-v1:{{ COURSE_ID }}/?exclude_graded=true&all=true
{{ CMS_DOMAIN }}/api/courses/v1/validation/course-v1:{{ COURSE_ID }}/?graded_only=true&validate_oras=true&all=true
{{ CMS_DOMAIN }}/api/content_tagging/v1/object_tag_counts/course-v1:{{ COURSE_ID }}/?count_implicit
Course Updates
{{ CMS_DOMAIN }}/course_info_update/course-v1:{{ COURSE_ID }}/
Pages&Resources
{{ CMS_DOMAIN }}/api/course_apps/v1/apps/course-v1:{{ COURSE_ID }}
{{ CMS_DOMAIN }}/api/course_live/providers/course-v1:{{ COURSE_ID }}/
{{ CMS_DOMAIN }}/api/course_live/course/course-v1:{{ COURSE_ID }}/
{{ CMS_DOMAIN }}/api/discussions/v0/course/course-v1:{{ COURSE_ID }}/settings
{{ CMS_DOMAIN }}/api/discussions/v0/course/course-v1:{{ COURSE_ID }}/providers
{{ CMS_DOMAIN }}/api/discussions/v0/course/course-v1:{{ COURSE_ID }}/settings?provider_id=openedx
Files
{{ CMS_DOMAIN }}/assets/course-v1:{{ COURSE_ID }}/?page=0
Advanced settings
{{ CMS_DOMAIN }}/api/contentstore/v1/proctoring_errors/course-v1:{{ COURSE_ID }}
Certificates
{{ CMS_DOMAIN }}/api/contentstore/v1/certificates/course-v1:{{ COURSE_ID }}
{{ CMS_DOMAIN }}/asset-v1:{{ COURSE_ID }}+type@asset+block@{{ FILE_NAME }}
{{ CMS_DOMAIN }}/certificates/course-v1:{{ COURSE_ID }}
{{ CMS_DOMAIN }}/certificates/activation/course-v1:{{ COURSE_ID }}/
Import
{{ CMS_DOMAIN }}/import_status/course-v1:{{ COURSE_ID }}/demo-course.tar.gz
Export
{{ CMS_DOMAIN }}/export_status/course-v1:{{ COURSE_ID }}
POST Success (200-204)
{{ CMS_DOMAIN }}/course_info_update/course-v1:{{ COURSE_ID }}/
Pages&Resources
{{ CMS_DOMAIN }}/api/course_live/course/course-v1:{{ COURSE_ID }}/
{{ CMS_DOMAIN }}/api/discussions/v0/course/course-v1:{{ COURSE_ID }}/settings
Textbooks
{{ CMS_DOMAIN }}/assets/course-v1:{{ COURSE_ID }}/
Certificates
{{ CMS_DOMAIN }}/assets/course-v1:{{ COURSE_ID }}/
Import
{{ CMS_DOMAIN }}/import/course-v1:{{ COURSE_ID }}
Export
{{ CMS_DOMAIN }}/export/course-v1:{{ COURSE_ID }}
DELETE Success (200-204)
Course Updates
{{ CMS_DOMAIN }}/course_info_update/course-v1:{{ COURSE_ID }}/{{ UPDATE_ID }}
Files
{{ CMS_DOMAIN }}/assets/course-v1:{{ COURSE_ID }}/asset-v1:{{ COURSE_ID }}+type@asset+block@{{ FILE_NAME }}
Certificates
{{ CMS_DOMAIN }}/certificates/course-v1:{{ COURSE_ID }}/{{ CERTIFICATE_ID }}
PUT Success (200-204)
Course Updates
{{ CMS_DOMAIN }}/xblock/block-v1:{{ COURSE_ID }}+type@course_info+block@handouts
Files
{{ CMS_DOMAIN }}/assets/course-v1:{{ COURSE_ID }}/asset-v1:{{ COURSE_ID }}+type@asset+block@{{ FILE_NAME }}
PATCH Success (200-204)
Pages&Resources
{{ CMS_DOMAIN }}/api/course_apps/v1/apps/course-v1:{{ COURSE_ID }}
GET Success (302)
Import
{{ CMS_DOMAIN }}/import/course-v1:{{ COURSE_ID }}
Export
{{ CMS_DOMAIN }}/export/course-v1:{{ COURSE_ID }}
Checklists
{{ CMS_DOMAIN }}/checklists/course-v1:{{ COURSE_ID }}
Patches
Impact
#32570 introduced the concept of a limited staff role. This role is meant to only access LMS related staff capabilities and should not be able to access or make any studio changes. Later, there was added a fix to allow limited staff to manage cohorts and access the gradebook #33491. As a result, the limited staff member can hit the studio APIs and make changes.
List of affected APIs:
GET Success (200-204)
Common for all pages
{{ CMS_DOMAIN }}/csrf/api/v1/token{{ CMS_DOMAIN }}/api/contentstore/v1/help_urlsCourse outline page
{{ CMS_DOMAIN }}/api/courses/v1/quality/course-v1:{{ COURSE_ID }}/?exclude_graded=true&all=true{{ CMS_DOMAIN }}/api/courses/v1/validation/course-v1:{{ COURSE_ID }}/?graded_only=true&validate_oras=true&all=true{{ CMS_DOMAIN }}/api/content_tagging/v1/object_tag_counts/course-v1:{{ COURSE_ID }}/?count_implicitCourse Updates
{{ CMS_DOMAIN }}/course_info_update/course-v1:{{ COURSE_ID }}/Pages&Resources
{{ CMS_DOMAIN }}/api/course_apps/v1/apps/course-v1:{{ COURSE_ID }}{{ CMS_DOMAIN }}/api/course_live/providers/course-v1:{{ COURSE_ID }}/{{ CMS_DOMAIN }}/api/course_live/course/course-v1:{{ COURSE_ID }}/{{ CMS_DOMAIN }}/api/discussions/v0/course/course-v1:{{ COURSE_ID }}/settings{{ CMS_DOMAIN }}/api/discussions/v0/course/course-v1:{{ COURSE_ID }}/providers{{ CMS_DOMAIN }}/api/discussions/v0/course/course-v1:{{ COURSE_ID }}/settings?provider_id=openedxFiles
{{ CMS_DOMAIN }}/assets/course-v1:{{ COURSE_ID }}/?page=0Advanced settings
{{ CMS_DOMAIN }}/api/contentstore/v1/proctoring_errors/course-v1:{{ COURSE_ID }}Certificates
{{ CMS_DOMAIN }}/api/contentstore/v1/certificates/course-v1:{{ COURSE_ID }}{{ CMS_DOMAIN }}/asset-v1:{{ COURSE_ID }}+type@asset+block@{{ FILE_NAME }}{{ CMS_DOMAIN }}/certificates/course-v1:{{ COURSE_ID }}{{ CMS_DOMAIN }}/certificates/activation/course-v1:{{ COURSE_ID }}/Import
{{ CMS_DOMAIN }}/import_status/course-v1:{{ COURSE_ID }}/demo-course.tar.gzExport
{{ CMS_DOMAIN }}/export_status/course-v1:{{ COURSE_ID }}POST Success (200-204)
{{ CMS_DOMAIN }}/course_info_update/course-v1:{{ COURSE_ID }}/Pages&Resources
{{ CMS_DOMAIN }}/api/course_live/course/course-v1:{{ COURSE_ID }}/{{ CMS_DOMAIN }}/api/discussions/v0/course/course-v1:{{ COURSE_ID }}/settingsTextbooks
{{ CMS_DOMAIN }}/assets/course-v1:{{ COURSE_ID }}/Certificates
{{ CMS_DOMAIN }}/assets/course-v1:{{ COURSE_ID }}/Import
{{ CMS_DOMAIN }}/import/course-v1:{{ COURSE_ID }}Export
{{ CMS_DOMAIN }}/export/course-v1:{{ COURSE_ID }}DELETE Success (200-204)
Course Updates
{{ CMS_DOMAIN }}/course_info_update/course-v1:{{ COURSE_ID }}/{{ UPDATE_ID }}Files
{{ CMS_DOMAIN }}/assets/course-v1:{{ COURSE_ID }}/asset-v1:{{ COURSE_ID }}+type@asset+block@{{ FILE_NAME }}Certificates
{{ CMS_DOMAIN }}/certificates/course-v1:{{ COURSE_ID }}/{{ CERTIFICATE_ID }}PUT Success (200-204)
Course Updates
{{ CMS_DOMAIN }}/xblock/block-v1:{{ COURSE_ID }}+type@course_info+block@handoutsFiles
{{ CMS_DOMAIN }}/assets/course-v1:{{ COURSE_ID }}/asset-v1:{{ COURSE_ID }}+type@asset+block@{{ FILE_NAME }}PATCH Success (200-204)
Pages&Resources
{{ CMS_DOMAIN }}/api/course_apps/v1/apps/course-v1:{{ COURSE_ID }}GET Success (302)
Import
{{ CMS_DOMAIN }}/import/course-v1:{{ COURSE_ID }}Export
{{ CMS_DOMAIN }}/export/course-v1:{{ COURSE_ID }}Checklists
{{ CMS_DOMAIN }}/checklists/course-v1:{{ COURSE_ID }}Patches
master:fix: add edit permissions for limited staff only in LMS · openedx/edx-platform@0153086 · GitHub 3
open-release/redwood.master:fix: security issue limited staff have edit access through some APIs … · openedx/edx-platform@50097c2 · GitHub 4