Switch update_forum_role_membership over to using a StaffAccessRule with query checking

lms/djangoapps/instructor/permissions.py

@@ -8,10 +8,12 @@ from courseware.rules import HasAccessRule
 ALLOW_STUDENT_TO_BYPASS_ENTRANCE_EXAM = 'instructor.allow_student_to_bypass_entrance_exam'
 ASSIGN_TO_COHORTS = 'instructor.assign_to_cohorts'
 EDIT_COURSE_ACCESS = 'instructor.edit_course_access'
+EDIT_FORUM_ROLES = 'instructor.edit_forum_roles'
 VIEW_ISSUED_CERTIFICATES = 'instructor.view_issued_certificates'
 
 
 perms[ALLOW_STUDENT_TO_BYPASS_ENTRANCE_EXAM] = HasAccessRule('staff')
 perms[ASSIGN_TO_COHORTS] = HasAccessRule('staff')
 perms[EDIT_COURSE_ACCESS] = HasAccessRule('instructor')
+perms[EDIT_FORUM_ROLES] = HasAccessRule('staff')
 perms[VIEW_ISSUED_CERTIFICATES] = HasAccessRule('staff')

lms/djangoapps/instructor/views/api.py

@@ -152,6 +152,7 @@ from ..permissions import (
     ALLOW_STUDENT_TO_BYPASS_ENTRANCE_EXAM,
     ASSIGN_TO_COHORTS,
     EDIT_COURSE_ACCESS,
+    EDIT_FORUM_ROLES,
     VIEW_ISSUED_CERTIFICATES,
 )
 
@@ -2788,7 +2789,7 @@ def send_email(request, course_id):
 @require_POST
 @ensure_csrf_cookie
 @cache_control(no_cache=True, no_store=True, must_revalidate=True)
-@require_level('staff')
+@require_course_permission(EDIT_FORUM_ROLES)
 @require_post_params(
     unique_student_identifier="email or username of user to change access",
     rolename="the forum role",