security: fix search username by email

Without this patch, it is possible to search for account info including username by using the email of a learner. This fix disallows searching using email by regular users and restricts this feature to only staff and superusers.
overhangio · Dec 21, 2021 · 553000e · 553000e
1 parent 4bfaa80
commit 553000e
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,8 @@ Note: Breaking changes between versions are indicated by "💥".
 
 ## Unreleased
 
+- [Security] Prevent non-staff users from searching usernames by email.
+
 ## v13.0.1
 
 - [Fix] Missing requirements file in `pip install tutor[full]`.

diff --git a/tutor/env.py b/tutor/env.py
@@ -12,7 +12,7 @@
 
 TEMPLATES_ROOT = pkg_resources.resource_filename("tutor", "templates")
 VERSION_FILENAME = "version"
-BIN_FILE_EXTENSIONS = [".ico", ".jpg", ".png", ".ttf", ".woff", ".woff2"]
+BIN_FILE_EXTENSIONS = [".ico", ".jpg", ".patch", ".png", ".ttf", ".woff", ".woff2"]
 
 
 class JinjaEnvironment(jinja2.Environment):

diff --git a/tutor/templates/build/openedx/Dockerfile b/tutor/templates/build/openedx/Dockerfile
@@ -50,6 +50,9 @@ RUN git fetch --depth=2 https://github.com/regisb/edx-platform 51e0ec3b97ae5badb
 # Fix forum notification for questions
 # https://github.com/edx/edx-platform/pull/29611
 RUN git fetch --depth=2 https://github.com/open-craft/edx-platform/ 03731f19459e558f188c06aac5cc9ca1bbc675c2 && git cherry-pick 03731f19459e558f188c06aac5cc9ca1bbc675c2
+# Fix email search
+# https://github.com/overhangio/edx-platform/commit/78da3d86b79e808462b88f219efb90bf8253a5d1
+RUN git fetch --depth=2 https://github.com/overhangio/edx-platform/ 78da3d86b79e808462b88f219efb90bf8253a5d1 && git cherry-pick 78da3d86b79e808462b88f219efb90bf8253a5d1
 {% endif %}
 
 {# Example: RUN git fetch --depth=2 https://github.com/edx/edx-platform <GITSHA1> && git cherry-pick <GITSHA1> #}