Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make "staff", not "superuser" to be sufficient to access embargoed data #1994

Open
yarikoptic opened this issue Aug 7, 2024 · 0 comments
Open

Make "staff", not "superuser" to be sufficient to access embargoed data #1994

yarikoptic opened this issue Aug 7, 2024 · 0 comments
Assignees
@waxlamp

Comments

@yarikoptic
Copy link
Member

ATM we do not really use staff level of access in django and only superuser:

❯ git grep is_staff
dandiapi/api/admin.py:    list_filter = ['metadata__status', 'is_staff', 'is_superuser', 'is_active']
❯ git grep is_super
dandiapi/api/admin.py:    list_filter = ['metadata__status', 'is_staff', 'is_superuser', 'is_active']
dandiapi/api/permissions.py:            request.user.is_superuser
dandiapi/api/permissions.py:                request.user.is_superuser
dandiapi/api/services/dandiset/__init__.py:    if identifier and not user.is_superuser:
dandiapi/api/tests/test_users.py:        'admin': social_account.user.is_superuser,
dandiapi/api/views/auth.py:        and not user.is_superuser
dandiapi/api/views/dashboard.py:        return self.request.user.is_superuser
dandiapi/api/views/dashboard.py:    if not request.user.is_superuser:
dandiapi/api/views/users.py:        'admin': user.is_superuser,
dandiapi/api/views/users.py:        'admin': user.is_superuser,
dandiapi/api/views/users.py:        'admin': user.is_superuser,
dandiapi/api/views/version.py:        if not request.user.is_superuser:

I would feel a bit safe (although would it be just red-herring) if we pretty much allow staff level, not superuser (more destructive) level to access API accessible "secret" (embargoed) data and "dangerous" functionality and leave "superuser" level only for really "core" users/actions? WDYT?
@waxlamp waxlamp self-assigned this Aug 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@waxlamp waxlamp

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yarikoptic @waxlamp