From 18f73c744ca58e509887df7047f83f6bb979e862 Mon Sep 17 00:00:00 2001 From: "zia.fazal@arbisoft.com" Date: Fri, 17 Jan 2020 12:21:50 +0500 Subject: [PATCH] Added ability to add enrollment with GlobalStaff permissions added unit test Reviewer feedback changes Fixed broken test --- .../enrollments/tests/test_views.py | 34 +++++++++++++++++++ openedx/core/djangoapps/enrollments/views.py | 6 ++-- 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/openedx/core/djangoapps/enrollments/tests/test_views.py b/openedx/core/djangoapps/enrollments/tests/test_views.py index f1e64dfa63..7d4dbc0209 100644 --- a/openedx/core/djangoapps/enrollments/tests/test_views.py +++ b/openedx/core/djangoapps/enrollments/tests/test_views.py @@ -1000,6 +1000,40 @@ class EnrollmentTest(EnrollmentTestMixin, ModuleStoreTestCase, APITestCase, Ente self.assertTrue(is_active) self.assertEqual(course_mode, updated_mode) + @ddt.data( + (True, status.HTTP_200_OK), + (False, status.HTTP_404_NOT_FOUND) + ) + @ddt.unpack + def test_enrollment_with_global_staff_permissions(self, using_global_staff_user, http_status): + """Verify no audit enrollments for user different than requesting user and without + API_KEY should be done by the users having global staff permissions. """ + + CourseModeFactory.create( + course_id=self.course.id, + mode_slug=CourseMode.VERIFIED, + mode_display_name=CourseMode.VERIFIED, + ) + + username = self.OTHER_USERNAME + if using_global_staff_user: + username = 'global_staff' + AdminFactory(username=username, email='global_staff@example.com', password=self.PASSWORD) + self.client.login(username=username, password=self.PASSWORD) + + # Create an enrollment + self.assert_enrollment_status( + as_server=False, + mode=CourseMode.VERIFIED, + expected_status=http_status + ) + + if using_global_staff_user: + course_mode, is_active = CourseEnrollment.enrollment_mode_for_user(self.user, self.course.id) + self.assertTrue(is_active) + self.assertEqual(course_mode, CourseMode.VERIFIED) + self.client.logout() + @httpretty.activate @override_settings(ENTERPRISE_SERVICE_WORKER_USERNAME='enterprise_worker', FEATURES=dict(ENABLE_ENTERPRISE_INTEGRATION=True)) diff --git a/openedx/core/djangoapps/enrollments/views.py b/openedx/core/djangoapps/enrollments/views.py index 26a975acc9..cf2e73ffd2 100644 --- a/openedx/core/djangoapps/enrollments/views.py +++ b/openedx/core/djangoapps/enrollments/views.py @@ -696,12 +696,14 @@ class EnrollmentListView(APIView, ApiKeyPermissionMixIn): # Check that the user specified is either the same user, or this is a server-to-server request. if not username: username = request.user.username - if username != request.user.username and not has_api_key_permissions: + if username != request.user.username and not has_api_key_permissions \ + and not GlobalStaff().has_user(request.user): # Return a 404 instead of a 403 (Unauthorized). If one user is looking up # other users, do not let them deduce the existence of an enrollment. return Response(status=status.HTTP_404_NOT_FOUND) - if mode not in (CourseMode.AUDIT, CourseMode.HONOR, None) and not has_api_key_permissions: + if mode not in (CourseMode.AUDIT, CourseMode.HONOR, None) and not has_api_key_permissions \ + and not GlobalStaff().has_user(request.user): return Response( status=status.HTTP_403_FORBIDDEN, data={