From 2e1fec921c9dab00b5a9301ffd5dff25d801de29 Mon Sep 17 00:00:00 2001
From: Calen Pennington <cale@edx.org>
Date: Wed, 31 Jul 2019 14:28:35 -0400
Subject: [PATCH] Add a decorator that checks for course-level permissions

---
 lms/djangoapps/instructor/views/api.py | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/lms/djangoapps/instructor/views/api.py b/lms/djangoapps/instructor/views/api.py
index 8e7163f1ed..71cfa36dd8 100644
--- a/lms/djangoapps/instructor/views/api.py
+++ b/lms/djangoapps/instructor/views/api.py
@@ -249,6 +249,28 @@ def require_level(level):
     return decorator
 
 
+def require_course_permission(permission):
+    """
+    Decorator with argument that requires a specific permission of the requesting
+    user. If the requirement is not satisfied, returns an
+    HttpResponseForbidden (403).
+
+    Assumes that request is in args[0].
+    Assumes that course_id is in kwargs['course_id'].
+    """
+    def decorator(func):  # pylint: disable=missing-docstring
+        def wrapped(*args, **kwargs):
+            request = args[0]
+            course = get_course_by_id(CourseKey.from_string(kwargs['course_id']))
+
+            if request.user.has_perm(permission, course):
+                return func(*args, **kwargs)
+            else:
+                return HttpResponseForbidden()
+        return wrapped
+    return decorator
+
+
 def require_sales_admin(func):
     """
     Decorator for checking sales administrator access before executing an HTTP endpoint. This decorator