Merge pull request #22884 from edx/ziafazal/ENT-2543

ENT-2543: Added ability to add enrollment with GlobalStaff permissions
2020-01-21 18:07:55 +05:00
parent 0ce89b70eb 18f73c744c
commit 209364ece3
2 changed files with 38 additions and 2 deletions
--- a/openedx/core/djangoapps/enrollments/tests/test_views.py
+++ b/openedx/core/djangoapps/enrollments/tests/test_views.py
@@ -1000,6 +1000,40 @@ class EnrollmentTest(EnrollmentTestMixin, ModuleStoreTestCase, APITestCase, Ente
        self.assertTrue(is_active)
        self.assertEqual(course_mode, updated_mode)

+    @ddt.data(
+        (True, status.HTTP_200_OK),
+        (False, status.HTTP_404_NOT_FOUND)
+    )
+    @ddt.unpack
+    def test_enrollment_with_global_staff_permissions(self, using_global_staff_user, http_status):
+        """Verify no audit enrollments for user different than requesting user and without
+        API_KEY should be done by the users having global staff permissions. """
+
+        CourseModeFactory.create(
+            course_id=self.course.id,
+            mode_slug=CourseMode.VERIFIED,
+            mode_display_name=CourseMode.VERIFIED,
+        )
+
+        username = self.OTHER_USERNAME
+        if using_global_staff_user:
+            username = 'global_staff'
+            AdminFactory(username=username, email='global_staff@example.com', password=self.PASSWORD)
+        self.client.login(username=username, password=self.PASSWORD)
+
+        # Create an enrollment
+        self.assert_enrollment_status(
+            as_server=False,
+            mode=CourseMode.VERIFIED,
+            expected_status=http_status
+        )
+
+        if using_global_staff_user:
+            course_mode, is_active = CourseEnrollment.enrollment_mode_for_user(self.user, self.course.id)
+            self.assertTrue(is_active)
+            self.assertEqual(course_mode, CourseMode.VERIFIED)
+        self.client.logout()
+
    @httpretty.activate
    @override_settings(ENTERPRISE_SERVICE_WORKER_USERNAME='enterprise_worker',
                       FEATURES=dict(ENABLE_ENTERPRISE_INTEGRATION=True))
--- a/openedx/core/djangoapps/enrollments/views.py
+++ b/openedx/core/djangoapps/enrollments/views.py
@@ -696,12 +696,14 @@ class EnrollmentListView(APIView, ApiKeyPermissionMixIn):
        # Check that the user specified is either the same user, or this is a server-to-server request.
        if not username:
            username = request.user.username
-        if username != request.user.username and not has_api_key_permissions:
+        if username != request.user.username and not has_api_key_permissions \
+                and not GlobalStaff().has_user(request.user):
            # Return a 404 instead of a 403 (Unauthorized). If one user is looking up
            # other users, do not let them deduce the existence of an enrollment.
            return Response(status=status.HTTP_404_NOT_FOUND)

-        if mode not in (CourseMode.AUDIT, CourseMode.HONOR, None) and not has_api_key_permissions:
+        if mode not in (CourseMode.AUDIT, CourseMode.HONOR, None) and not has_api_key_permissions \
+                and not GlobalStaff().has_user(request.user):
            return Response(
                status=status.HTTP_403_FORBIDDEN,
                data={