The workload approval rule enforced by the UI is not enforced by the backend.
In Templates/OpenBench/workload.html, the Approve button is only shown for approvers or superusers, and specifically not for the workload author:
{% if not workload.approved and profile.approver and profile.user.username != workload.author %}
<a class="anchorbutton btn-blue" href="/{{type|lower}}/{{workload.id}}/APPROVE">Approve</a>
{% elif not workload.approved and request.user.is_superuser %}
<a class="anchorbutton btn-blue" href="/{{type|lower}}/{{workload.id}}/APPROVE">Approve</a>
{% else %}
<a class="anchorbutton btn-disabled">Approve</a>
{% endif %}However, the backend route accepts APPROVE for any logged-in workload author because all actions share the same generic permission check:
profile = Profile.objects.get(user=request.user)
if not profile.approver and workload.author != request.user.username:
return OpenBench.views.redirect(request, '/index/', error='You cannot interact with another user\'s Workload')
message = actions[action](request, profile, workload)and approval itself has no additional authorization check:
def approve_workload(request, profile, workload):
workload.approved = True
return 'Workload was Approved!'As a result, a workload author can approve their own pending workload simply by requesting:
/test/<workload_id>/APPROVE/
This matters because approval is the trust boundary before workers pick up and execute workloads. An enabled user can submit a workload pointing at a repository they control and then bypass review by self-approving it.
Expected behavior: the backend should enforce the same rule as the UI, and APPROVE should require approver/superuser permissions, with self-approval explicitly rejected if cross-approval is intended.
Issue found and verified by GPT 5.4 in Codex. I do understand that admins on instances likely do not approve unknown users, but this is still a desync between frontend and backend.
The workload approval rule enforced by the UI is not enforced by the backend.
In Templates/OpenBench/workload.html, the Approve button is only shown for approvers or superusers, and specifically not for the workload author:
However, the backend route accepts
APPROVEfor any logged-in workload author because all actions share the same generic permission check:and approval itself has no additional authorization check:
As a result, a workload author can approve their own pending workload simply by requesting:
This matters because approval is the trust boundary before workers pick up and execute workloads. An enabled user can submit a workload pointing at a repository they control and then bypass review by self-approving it.
Expected behavior: the backend should enforce the same rule as the UI, and
APPROVEshould require approver/superuser permissions, with self-approval explicitly rejected if cross-approval is intended.Issue found and verified by GPT 5.4 in Codex. I do understand that admins on instances likely do not approve unknown users, but this is still a desync between frontend and backend.