From 49594d92e66b40f3d1de620fcfc8d1c77757de31 Mon Sep 17 00:00:00 2001
From: stvn <stvn@mit.edu>
Date: Tue, 13 Apr 2021 15:26:43 -0700
Subject: [PATCH] fix: Grant course staff access to discussions API

to match expected behavior.
---
 .../discussions/tests/test_views.py           |  5 +---
 openedx/core/djangoapps/discussions/views.py  | 24 ++++++++++++++++++-
 2 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/openedx/core/djangoapps/discussions/tests/test_views.py b/openedx/core/djangoapps/discussions/tests/test_views.py
index 75dc57da74..533e761b4f 100644
--- a/openedx/core/djangoapps/discussions/tests/test_views.py
+++ b/openedx/core/djangoapps/discussions/tests/test_views.py
@@ -93,12 +93,9 @@ class AuthorizedApiTest(AuthenticatedApiTest):
         assert response.status_code == status.HTTP_405_METHOD_NOT_ALLOWED
 
 
-class CourseStaffAuthorizedTest(UnauthorizedApiTest):
+class CourseStaffAuthorizedTest(AuthorizedApiTest):
     """
     Course Staff should have the same access as Global Staff
-
-    TODO: This behavior should be changed to _allow_ access [1]
-    - [1] https://openedx.atlassian.net/browse/TNL-8231
     """
 
     def _login(self):
diff --git a/openedx/core/djangoapps/discussions/views.py b/openedx/core/djangoapps/discussions/views.py
index 2380ce8f82..d32f08feb8 100644
--- a/openedx/core/djangoapps/discussions/views.py
+++ b/openedx/core/djangoapps/discussions/views.py
@@ -7,11 +7,12 @@ from lti_consumer.models import LtiConfiguration
 from opaque_keys.edx.keys import CourseKey
 from opaque_keys import InvalidKeyError
 from rest_framework import serializers
+from rest_framework.permissions import BasePermission
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
+from common.djangoapps.student.roles import CourseStaffRole
 from openedx.core.lib.api.authentication import BearerAuthenticationAllowInactiveUser
-from openedx.core.lib.api.permissions import IsStaff
 
 from .models import DEFAULT_PROVIDER_TYPE
 from .models import DiscussionsConfiguration
@@ -30,6 +31,27 @@ PROVIDER_FEATURE_MAP = {
 }
 
 
+class IsStaff(BasePermission):
+    """
+    Check if user is global or course staff
+
+    We create our own copy of this because other versions of this check
+    allow access to additional user roles.
+    """
+    def has_permission(self, request, view):
+        """
+        Check if user has global or course staff permission
+        """
+        user = request.user
+        if user.is_staff:
+            return True
+        course_key_string = view.kwargs.get('course_key_string')
+        course_key = _validate_course_key(course_key_string)
+        return CourseStaffRole(
+            course_key,
+        ).has_user(request.user)
+
+
 class LtiSerializer(serializers.ModelSerializer):
     """
     Serialize LtiConfiguration responses