Skip to content

Security: vcauth admin permission check and exception handling#1508

Open
davmlaw wants to merge 1 commit intomasterfrom
security/vcauth-admin-fixes
Open

Security: vcauth admin permission check and exception handling#1508
davmlaw wants to merge 1 commit intomasterfrom
security/vcauth-admin-fixes

Conversation

@davmlaw
Copy link
Copy Markdown
Contributor

@davmlaw davmlaw commented Apr 2, 2026

Summary

Fixes two security issues identified in the vcauth admin (see SACGF/variantgrid_private#3822):

  • HIGH: Added allowed_permissions = ['change'] to the email_discordance action. Without this, any staff user with Django admin access could trigger bulk summary emails regardless of their actual permissions.
  • MEDIUM: Replaced raw exception exposure in admin messages with server-side logging + a generic error message, preventing internal infrastructure details from leaking to admin users.

Test plan

  • Log in as a staff user without User change permission — confirm "Email weekly summary" action is not available
  • Log in as a staff user with User change permission — confirm action works as before
  • Simulate a send failure — confirm generic error message appears in admin UI and exception is logged server-side

@davmlaw
SACGF/variantgrid_private#3822 - vcauth admin security fixes
aa5d84b 
- Add allowed_permissions = ['change'] to email_discordance action so
  only users with User change permission can trigger bulk emails
- Log exceptions server-side and show a generic error message instead of
  exposing raw exception details (including email addresses) in the admin UI
@davmlaw davmlaw force-pushed the security/vcauth-admin-fixes branch from 641bbfe to aa5d84b Compare April 2, 2026 00:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davmlaw