From c2d1791de4bc934305b77a2bf7689682a083e15c Mon Sep 17 00:00:00 2001
From: David Ormsbee <dave@edx.org>
Date: Mon, 19 Aug 2013 17:09:47 -0400
Subject: [PATCH 1/7] Make it so that students who are not enrolled cannot see
 the forum

---
 lms/djangoapps/django_comment_client/forum/views.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lms/djangoapps/django_comment_client/forum/views.py b/lms/djangoapps/django_comment_client/forum/views.py
index 24305a214a..aeaa763280 100644
--- a/lms/djangoapps/django_comment_client/forum/views.py
+++ b/lms/djangoapps/django_comment_client/forum/views.py
@@ -12,6 +12,7 @@ from courseware.courses import get_course_with_access
 from course_groups.cohorts import (is_course_cohorted, get_cohort_id, is_commentable_cohorted,
                                    get_cohorted_commentables, get_course_cohorts, get_cohort_by_id)
 from courseware.access import has_access
+from student.models import CourseEnrollment
 
 from django_comment_client.permissions import cached_has_permission
 from django_comment_client.utils import (merge_dict, extract, strip_none, get_courseware_context)
@@ -168,6 +169,11 @@ def forum_form_discussion(request, course_id):
     """
     Renders the main Discussion page, potentially filtered by a search query
     """
+    if not CourseEnrollment.is_enrolled(request.user, course_id):
+        access_violation_msg = "Unenrolled user {} tried to access forum for {}"
+        log.warning(access_violation_msg.format(request.user, course_id))
+        raise Http404
+
     course = get_course_with_access(request.user, course_id, 'load')
     category_map = utils.get_discussion_category_map(course)
 

From 013009ea244cc6f9ebf7e3ca44b4bf3e5653d3bd Mon Sep 17 00:00:00 2001
From: David Ormsbee <dave@edx.org>
Date: Mon, 19 Aug 2013 17:27:23 -0400
Subject: [PATCH 2/7] Let staff have access to a forum even if they're not
 enrolled in the course.

---
 lms/djangoapps/django_comment_client/forum/views.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lms/djangoapps/django_comment_client/forum/views.py b/lms/djangoapps/django_comment_client/forum/views.py
index aeaa763280..1d4bb033f6 100644
--- a/lms/djangoapps/django_comment_client/forum/views.py
+++ b/lms/djangoapps/django_comment_client/forum/views.py
@@ -169,7 +169,8 @@ def forum_form_discussion(request, course_id):
     """
     Renders the main Discussion page, potentially filtered by a search query
     """
-    if not CourseEnrollment.is_enrolled(request.user, course_id):
+    if not CourseEnrollment.is_enrolled(request.user, course_id) and \
+       not has_access(request.user, course_id, 'staff'):
         access_violation_msg = "Unenrolled user {} tried to access forum for {}"
         log.warning(access_violation_msg.format(request.user, course_id))
         raise Http404

From a2bbb65dcf6df51e9c4914a6343681bcd795db5e Mon Sep 17 00:00:00 2001
From: Kevin Chugh <kevinchugh@gmail.com>
Date: Tue, 20 Aug 2013 19:42:03 -0400
Subject: [PATCH 3/7] refactor to add access control to already_existing access
 control routines in access.py

---
 lms/djangoapps/courseware/access.py             |  9 +++++++++
 .../django_comment_client/forum/views.py        | 17 ++++++-----------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/lms/djangoapps/courseware/access.py b/lms/djangoapps/courseware/access.py
index 8259507617..7c85e1e787 100644
--- a/lms/djangoapps/courseware/access.py
+++ b/lms/djangoapps/courseware/access.py
@@ -114,6 +114,7 @@ def _has_access_course_desc(user, course, action):
     Valid actions:
 
     'load' -- load the courseware, see inside the course
+    'load_forum' -- can load and contribute to the forums (one access level for now)
     'enroll' -- enroll.  Checks for enrollment window,
                   ACCESS_REQUIRE_STAFF_FOR_COURSE,
     'see_exists' -- can see that the course exists.
@@ -128,6 +129,13 @@ def _has_access_course_desc(user, course, action):
         # delegate to generic descriptor check to check start dates
         return _has_access_descriptor(user, course, 'load')
 
+    def can_load_forum():
+        """
+        Can this user access the forums in this course?
+        """
+        return (CourseEnrollment.is_enrolled(request.user, course_id) or \
+            _has_staff_access_to_descriptor(user, course)
+
     def can_enroll():
         """
         First check if restriction of enrollment by login method is enabled, both
@@ -193,6 +201,7 @@ def _has_access_course_desc(user, course, action):
 
     checkers = {
         'load': can_load,
+        'load_forum': can_load_forum,
         'enroll': can_enroll,
         'see_exists': see_exists,
         'staff': lambda: _has_staff_access_to_descriptor(user, course),
diff --git a/lms/djangoapps/django_comment_client/forum/views.py b/lms/djangoapps/django_comment_client/forum/views.py
index 1d4bb033f6..4f8de29145 100644
--- a/lms/djangoapps/django_comment_client/forum/views.py
+++ b/lms/djangoapps/django_comment_client/forum/views.py
@@ -109,7 +109,7 @@ def inline_discussion(request, course_id, discussion_id):
     """
     Renders JSON for DiscussionModules
     """
-    course = get_course_with_access(request.user, course_id, 'load')
+    course = get_course_with_access(request.user, course_id, 'load_forum')
 
     try:
         threads, query_params = get_threads(request, course_id, discussion_id, per_page=INLINE_THREADS_PER_PAGE)
@@ -169,13 +169,8 @@ def forum_form_discussion(request, course_id):
     """
     Renders the main Discussion page, potentially filtered by a search query
     """
-    if not CourseEnrollment.is_enrolled(request.user, course_id) and \
-       not has_access(request.user, course_id, 'staff'):
-        access_violation_msg = "Unenrolled user {} tried to access forum for {}"
-        log.warning(access_violation_msg.format(request.user, course_id))
-        raise Http404
 
-    course = get_course_with_access(request.user, course_id, 'load')
+    course = get_course_with_access(request.user, course_id, 'load_forum')
     category_map = utils.get_discussion_category_map(course)
 
     try:
@@ -245,7 +240,7 @@ def forum_form_discussion(request, course_id):
 
 @login_required
 def single_thread(request, course_id, discussion_id, thread_id):
-    course = get_course_with_access(request.user, course_id, 'load')
+    course = get_course_with_access(request.user, course_id, 'load_forum')
     cc_user = cc.User.from_django_user(request.user)
     user_info = cc_user.to_dict()
 
@@ -280,7 +275,7 @@ def single_thread(request, course_id, discussion_id, thread_id):
             log.error("Error loading single thread.")
             raise Http404
 
-        course = get_course_with_access(request.user, course_id, 'load')
+        course = get_course_with_access(request.user, course_id, 'load_forum')
 
         for thread in threads:
             courseware_context = get_courseware_context(thread, course)
@@ -340,7 +335,7 @@ def single_thread(request, course_id, discussion_id, thread_id):
 @login_required
 def user_profile(request, course_id, user_id):
     #TODO: Allow sorting?
-    course = get_course_with_access(request.user, course_id, 'load')
+    course = get_course_with_access(request.user, course_id, 'load_forum')
     try:
         profiled_user = cc.User(id=user_id, course_id=course_id)
 
@@ -381,7 +376,7 @@ def user_profile(request, course_id, user_id):
 
 
 def followed_threads(request, course_id, user_id):
-    course = get_course_with_access(request.user, course_id, 'load')
+    course = get_course_with_access(request.user, course_id, 'load_forum')
     try:
         profiled_user = cc.User(id=user_id, course_id=course_id)
 

From 08aafc58ea2dd1a5ee9c78bee8c136a8a0e1a2f6 Mon Sep 17 00:00:00 2001
From: Kevin Chugh <kevinchugh@gmail.com>
Date: Tue, 20 Aug 2013 19:43:46 -0400
Subject: [PATCH 4/7] refactor to add access control to already_existing access
 control routines in access.py

---
 lms/djangoapps/courseware/access.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lms/djangoapps/courseware/access.py b/lms/djangoapps/courseware/access.py
index 7c85e1e787..02289a045e 100644
--- a/lms/djangoapps/courseware/access.py
+++ b/lms/djangoapps/courseware/access.py
@@ -134,7 +134,7 @@ def _has_access_course_desc(user, course, action):
         Can this user access the forums in this course?
         """
         return (CourseEnrollment.is_enrolled(request.user, course_id) or \
-            _has_staff_access_to_descriptor(user, course)
+            _has_staff_access_to_descriptor(user, course))
 
     def can_enroll():
         """

From b317d45ffb7d91f88b3431bd498b3b90dee2bbcd Mon Sep 17 00:00:00 2001
From: Your Name <kevinchugh@edx.org>
Date: Wed, 21 Aug 2013 09:49:09 -0400
Subject: [PATCH 5/7] add missing imports

---
 lms/djangoapps/courseware/access.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lms/djangoapps/courseware/access.py b/lms/djangoapps/courseware/access.py
index 02289a045e..89629782ee 100644
--- a/lms/djangoapps/courseware/access.py
+++ b/lms/djangoapps/courseware/access.py
@@ -17,6 +17,7 @@ from student.models import CourseEnrollmentAllowed
 from external_auth.models import ExternalAuthMap
 from courseware.masquerade import is_masquerading_as_student
 from django.utils.timezone import UTC
+from student.models import CourseEnrollment
 
 DEBUG_ACCESS = False
 
@@ -133,7 +134,7 @@ def _has_access_course_desc(user, course, action):
         """
         Can this user access the forums in this course?
         """
-        return (CourseEnrollment.is_enrolled(request.user, course_id) or \
+        return (CourseEnrollment.is_enrolled(user, course.id) or \
             _has_staff_access_to_descriptor(user, course))
 
     def can_enroll():

From a36e3b19576b3e898130175faead739a56c55395 Mon Sep 17 00:00:00 2001
From: Your Name <kevinchugh@edx.org>
Date: Wed, 21 Aug 2013 11:06:30 -0400
Subject: [PATCH 6/7] CourseEnrollment no longer needed in forum/views

---
 lms/djangoapps/django_comment_client/forum/views.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lms/djangoapps/django_comment_client/forum/views.py b/lms/djangoapps/django_comment_client/forum/views.py
index 4f8de29145..f18ecb24e8 100644
--- a/lms/djangoapps/django_comment_client/forum/views.py
+++ b/lms/djangoapps/django_comment_client/forum/views.py
@@ -12,7 +12,6 @@ from courseware.courses import get_course_with_access
 from course_groups.cohorts import (is_course_cohorted, get_cohort_id, is_commentable_cohorted,
                                    get_cohorted_commentables, get_course_cohorts, get_cohort_by_id)
 from courseware.access import has_access
-from student.models import CourseEnrollment
 
 from django_comment_client.permissions import cached_has_permission
 from django_comment_client.utils import (merge_dict, extract, strip_none, get_courseware_context)

From 541aa0847189638120789154423947fd6aaa3f67 Mon Sep 17 00:00:00 2001
From: Your Name <kevinchugh@edx.org>
Date: Wed, 21 Aug 2013 11:59:39 -0400
Subject: [PATCH 7/7] update forum access to include check for valid date range

---
 lms/djangoapps/courseware/access.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lms/djangoapps/courseware/access.py b/lms/djangoapps/courseware/access.py
index 89629782ee..8fa40ec392 100644
--- a/lms/djangoapps/courseware/access.py
+++ b/lms/djangoapps/courseware/access.py
@@ -134,8 +134,10 @@ def _has_access_course_desc(user, course, action):
         """
         Can this user access the forums in this course?
         """
-        return (CourseEnrollment.is_enrolled(user, course.id) or \
-            _has_staff_access_to_descriptor(user, course))
+        return (can_load() and \
+            (CourseEnrollment.is_enrolled(user, course.id) or \
+                _has_staff_access_to_descriptor(user, course)
+            ))
 
     def can_enroll():
         """