Exit staff mode after permission revocation #2355

ybrnr · 2024-12-16T19:04:29Z

fix #2205

janno42

Nice 👍

Please check the formatting

Kakadus

naturally, a test would be nice : )

Thanks!

Kakadus · 2024-12-17T07:58:44Z

evap/staff/staff_mode.py

@@ -52,6 +52,9 @@ def is_in_staff_mode(request):


 def update_staff_mode(request):
+    if not request.user.has_staff_permission: 
+        exit_staff_mode(request)
+        return
    assert request.user.has_staff_permission


I think this assertion is no longer needed

I'd move it up to line 33, where I think it would still add value.

The call graphs we can get now are a bit wonky. We can have
enter_staff_mode -> update_staff_mode -> finds out that not request.user.has_staff_permission -> exit_staff_mode and returns without exception, which is probably never what the initial caller intended?

It seems to me that update_staff_mode was about "update the timestamp in the session to now()" in the past, now it has changed semantics. Could use a little clean up in general, I think.

I moved the assertion to line 33

I agree that, while it's not super urgent, the names could be improved. In general, enter_staff_mode seems unneeded since #1587. The current update_staff_mode is more of a try_entering_or_refreshing_staff_mode. I don't have a strong opinion, but having a "try to enter, but we will check whether you are allowed" as the only way to enter staff mode seems fair to me. Maybe the enter_staff_mode view should check that entering worked?

richardebeling

Blocking for missing test, since this is authorization logic and we discovered a code path in the issue that we considered not to happen naturally before. Feel free to assign the PR to me if you want me to write the test.

niklasmohrin

Very cool, thanks! Could you change the title to something more descriptive? The issue number doesn't need to appear, we will always be able to find it through the PR number, which will be automatically included once we merge :)

niklasmohrin · 2025-01-20T20:41:43Z

evap/staff/staff_mode.py

+    if not request.user.has_staff_permission:
+        exit_staff_mode(request)
+        return


@richardebeling @Kakadus Should we log something here?

I'm fine with both adding and not adding logging.

I think we can only manage one of the two

If you both don't care, I would prefer if we added a small info-level log like "user {} tried to update staff mode session without permission" @ybrnr

Edit: nevermind, @richardebeling convinced me against this afterall

niklasmohrin · 2025-01-27T18:28:23Z

@ybrnr How about "Exit staff mode after permission revocation"?

niklasmohrin

Blocking for #2355 (comment)

niklasmohrin

Nothing to see here

janno42 approved these changes Dec 16, 2024

View reviewed changes

Kakadus reviewed Dec 17, 2024

View reviewed changes

richardebeling requested changes Dec 20, 2024

View reviewed changes

ybrnr added 3 commits January 20, 2025 18:31

added check whether user has staff permission in middleware

9efcdb3

removed old print statement meant for debugging

e71f38c

added test for removing staff permission while in staff mode

42a2882

ybrnr force-pushed the iss2205 branch from dba5e50 to 42a2882 Compare January 20, 2025 17:32

ybrnr added 3 commits January 20, 2025 18:42

moved assertion

607ffdc

added newline at the end of test_views

0cee823

format code

16be2be

janno42 requested a review from richardebeling January 20, 2025 18:12

niklasmohrin approved these changes Jan 20, 2025

View reviewed changes

ybrnr changed the title ~~Iss2205~~ Staff mode user gets redirected to non staff mode on permission change Jan 21, 2025

Kakadus approved these changes Jan 27, 2025

View reviewed changes

Kakadus changed the title ~~Staff mode user gets redirected to non staff mode on permission change~~ Exit staff mode after permission revocation Jan 27, 2025

niklasmohrin requested changes Jan 27, 2025

View reviewed changes

niklasmohrin approved these changes Jan 27, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Exit staff mode after permission revocation #2355

Exit staff mode after permission revocation #2355

ybrnr commented Dec 16, 2024

janno42 left a comment

Kakadus left a comment

Kakadus Dec 17, 2024

richardebeling Dec 20, 2024

ybrnr Jan 20, 2025

niklasmohrin Jan 20, 2025

richardebeling left a comment •

edited

Loading

niklasmohrin left a comment •

edited

Loading

niklasmohrin Jan 20, 2025

richardebeling Jan 27, 2025

niklasmohrin Jan 27, 2025

niklasmohrin Jan 27, 2025 •

edited

Loading

niklasmohrin commented Jan 27, 2025

niklasmohrin left a comment

niklasmohrin left a comment

Exit staff mode after permission revocation #2355

Are you sure you want to change the base?

Exit staff mode after permission revocation #2355

Conversation

ybrnr commented Dec 16, 2024

janno42 left a comment

Choose a reason for hiding this comment

Kakadus left a comment

Choose a reason for hiding this comment

Kakadus Dec 17, 2024

Choose a reason for hiding this comment

richardebeling Dec 20, 2024

Choose a reason for hiding this comment

ybrnr Jan 20, 2025

Choose a reason for hiding this comment

niklasmohrin Jan 20, 2025

Choose a reason for hiding this comment

richardebeling left a comment • edited Loading

Choose a reason for hiding this comment

niklasmohrin left a comment • edited Loading

Choose a reason for hiding this comment

niklasmohrin Jan 20, 2025

Choose a reason for hiding this comment

richardebeling Jan 27, 2025

Choose a reason for hiding this comment

niklasmohrin Jan 27, 2025

Choose a reason for hiding this comment

niklasmohrin Jan 27, 2025 • edited Loading

Choose a reason for hiding this comment

niklasmohrin commented Jan 27, 2025

niklasmohrin left a comment

Choose a reason for hiding this comment

niklasmohrin left a comment

Choose a reason for hiding this comment

richardebeling left a comment •

edited

Loading

niklasmohrin left a comment •

edited

Loading

niklasmohrin Jan 27, 2025 •

edited

Loading