Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,14 @@ Change Log
Unreleased
**********

1.21.0 - 2026-07-03
*******************

Changed
=======

* Drop superadmin entries from the assignment list endpoint to avoid exposing sensitive information about superadmins to non-superadmin users.

1.20.0 - 2026-07-01
*******************

Expand Down
2 changes: 1 addition & 1 deletion openedx_authz/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,6 @@

import os

__version__ = "1.20.0"
__version__ = "1.21.0"

ROOT_DIRECTORY = os.path.dirname(os.path.abspath(__file__))
2 changes: 1 addition & 1 deletion openedx_authz/api/users.py
Original file line number Diff line number Diff line change
Expand Up @@ -311,7 +311,7 @@ def _filter_candidate_assignments_by_params(

Args:
assignments: The full assignment list to filter. Each entry has exactly one role
(one policy line = one RoleAssignmentData), as produced by get_role_assignments.
(one policy line), as produced by get_role_assignments.
orgs: Optional list of org identifiers to keep (e.g., ['edX', 'MITx']), matched against scope.org.
scopes: Optional list of scope external keys to keep (e.g., ['lib:DemoX:CSPROB']).
roles: Optional list of role external keys to keep (e.g., ['library_admin', 'instructor']).
Expand Down
23 changes: 1 addition & 22 deletions openedx_authz/rest_api/v1/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -1160,7 +1160,6 @@ class TeamMemberAssignmentsAPIView(APIView):

- Requires authenticated user.
- Results are filtered according to calling user's scope-level view permissions.
- Superadmin entries are always included when the target user is a staff/superuser.

**Example Request**

Expand All @@ -1174,13 +1173,6 @@ class TeamMemberAssignmentsAPIView(APIView):
"next": null,
"previous": null,
"results": [
{
"is_superadmin": true,
"role": "django.superuser",
"org": "*",
"scope": "*",
"permission_count": null
},
{
"is_superadmin": false,
"role": "library_admin",
Expand Down Expand Up @@ -1312,16 +1304,6 @@ class AssignmentsAPIView(APIView):
"username": "contributor",
"email": "contributor@example.com"
},
{
"is_superadmin": true,
"role": "django.superuser",
"org": "*",
"scope": "*",
"permission_count": null,
"full_name": "",
"username": "admin",
"email": "admin@example.com"
},
]
}
"""
Expand Down Expand Up @@ -1366,10 +1348,7 @@ def get(self, request: HttpRequest) -> Response:
serializer.is_valid(raise_exception=True)
query_params = serializer.validated_data

user_role_assignments: list[UserAssignmentData | SuperAdminAssignmentData] = []

# Retrieve superadmin assignments (django staff or superuser users), as they always have access to everything
user_role_assignments += get_superadmin_assignments()
user_role_assignments: list[UserAssignmentData] = []

users_with_assignments = api.get_visible_role_assignments_for_user(
orgs=query_params.get("orgs"),
Expand Down
Loading