Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Grant course staff access to discussions API

Browse Source 
to match expected behavior.
This commit is contained in:
stvn
2021-04-13 15:26:43 -07:00
parent 5284f397b4
commit 49594d92e6
2 changed files with 24 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
openedx/core/djangoapps/discussions/tests/test_views.py
View File

@@ -93,12 +93,9 @@ class AuthorizedApiTest(AuthenticatedApiTest):
assert response.status_code == status.HTTP_405_METHOD_NOT_ALLOWED
class CourseStaffAuthorizedTest(UnauthorizedApiTest):
class CourseStaffAuthorizedTest(AuthorizedApiTest):
"""
Course Staff should have the same access as Global Staff
TODO: This behavior should be changed to _allow_ access [1]
- [1] https://openedx.atlassian.net/browse/TNL-8231
"""
def _login(self):

24
openedx/core/djangoapps/discussions/views.py
View File

@@ -7,11 +7,12 @@ from lti_consumer.models import LtiConfiguration
from opaque_keys.edx.keys import CourseKey
from opaque_keys import InvalidKeyError
from rest_framework import serializers
from rest_framework.permissions import BasePermission
from rest_framework.response import Response
from rest_framework.views import APIView
from common.djangoapps.student.roles import CourseStaffRole
from openedx.core.lib.api.authentication import BearerAuthenticationAllowInactiveUser
from openedx.core.lib.api.permissions import IsStaff
from .models import DEFAULT_PROVIDER_TYPE
from .models import DiscussionsConfiguration
@@ -30,6 +31,27 @@ PROVIDER_FEATURE_MAP = {
}
class IsStaff(BasePermission):
"""
Check if user is global or course staff
We create our own copy of this because other versions of this check
allow access to additional user roles.
"""
def has_permission(self, request, view):
"""
Check if user has global or course staff permission
"""
user = request.user
if user.is_staff:
return True
course_key_string = view.kwargs.get('course_key_string')
course_key = _validate_course_key(course_key_string)
return CourseStaffRole(
course_key,
).has_user(request.user)
class LtiSerializer(serializers.ModelSerializer):
"""
Serialize LtiConfiguration responses