From 599d21b7bb816db5c798d032cfb82d1e45dc38f0 Mon Sep 17 00:00:00 2001
From: Julia Eskew <julia.eskew@edx.org>
Date: Tue, 4 May 2021 13:55:34 -0400
Subject: [PATCH] feat: Deny course staff visibility of legacy courseware.
 (#27469)

Currently, course staff can always view their courses
in the Legacy courseware experience.

With this change, course staff will *not* be able
to view their courses if the New (MFE) courseware
experience has been enabled for them.

This does not affect global staff, and it does not
affect courses that are still running in the Legacy
experience.

Adds a new parameter returned by the course metadata API
used by the courseware MFE to determine if the button to
show legacy experience should be displayed or not.

TNL-8203
---
 lms/djangoapps/courseware/tests/test_views.py         |  6 +++---
 lms/djangoapps/courseware/toggles.py                  |  4 ----
 lms/djangoapps/courseware/views/index.py              |  1 -
 openedx/core/djangoapps/courseware_api/serializers.py |  1 +
 openedx/core/djangoapps/courseware_api/views.py       | 11 ++++++++++-
 5 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/lms/djangoapps/courseware/tests/test_views.py b/lms/djangoapps/courseware/tests/test_views.py
index ffdcf6274d..3a9965fbbd 100644
--- a/lms/djangoapps/courseware/tests/test_views.py
+++ b/lms/djangoapps/courseware/tests/test_views.py
@@ -3478,19 +3478,19 @@ class MFERedirectTests(BaseViewsTestCase):  # lint-amnesty, pylint: disable=miss
     def test_staff_no_redirect(self):
         lms_url, mfe_url = self._get_urls()  # lint-amnesty, pylint: disable=unused-variable
 
-        # course staff will not redirect
+        # course staff will redirect in an MFE-enabled course - and not redirect otherwise.
         course_staff = UserFactory.create(is_staff=False)
         CourseStaffRole(self.course_key).add_users(course_staff)
         self.client.login(username=course_staff.username, password='test')
 
         assert self.client.get(lms_url).status_code == 200
         with _set_mfe_flag(True):
-            assert self.client.get(lms_url).status_code == 200
+            assert self.client.get(lms_url).status_code == 302
 
         # global staff will never be redirected
         self._create_global_staff_user()
-        assert self.client.get(lms_url).status_code == 200
 
+        assert self.client.get(lms_url).status_code == 200
         with _set_mfe_flag(True):
             assert self.client.get(lms_url).status_code == 200
 
diff --git a/lms/djangoapps/courseware/toggles.py b/lms/djangoapps/courseware/toggles.py
index dc51c8235a..51220c4561 100644
--- a/lms/djangoapps/courseware/toggles.py
+++ b/lms/djangoapps/courseware/toggles.py
@@ -176,7 +176,6 @@ def courseware_mfe_is_advertised(
 def courseware_legacy_is_visible(
         course_key: CourseKey,
         is_global_staff=False,
-        is_course_staff=False,
 ) -> bool:
     """
     Can we see a course run's content in the Legacy frontend?
@@ -187,9 +186,6 @@ def courseware_legacy_is_visible(
     # ALLOW: Global staff may always see the Legacy experience.
     if is_global_staff:
         return True
-    # ALLOW: The course team may always see their course in the Legacy experience.
-    if is_course_staff:
-        return True
     # OTHERWISE: Legacy is only visible if it's the active (ie canonical) experience.
     #            Note that Old Mongo courses are never the active experience,
     #            so we effectively always ALLOW them to be viewed in Legacy.
diff --git a/lms/djangoapps/courseware/views/index.py b/lms/djangoapps/courseware/views/index.py
index 90f75558d0..8dd97c22a3 100644
--- a/lms/djangoapps/courseware/views/index.py
+++ b/lms/djangoapps/courseware/views/index.py
@@ -178,7 +178,6 @@ class CoursewareIndex(View):
         if courseware_legacy_is_visible(
                 course_key=self.course_key,
                 is_global_staff=self.request.user.is_staff,
-                is_course_staff=self.is_staff,
         ):
             return
         # STAY: if we are in a special (ie proctored/timed) exam, which isn't yet
diff --git a/openedx/core/djangoapps/courseware_api/serializers.py b/openedx/core/djangoapps/courseware_api/serializers.py
index 6f33a4bf27..bd055fe0ff 100644
--- a/openedx/core/djangoapps/courseware_api/serializers.py
+++ b/openedx/core/djangoapps/courseware_api/serializers.py
@@ -104,6 +104,7 @@ class CourseInfoSerializer(serializers.Serializer):  # pylint: disable=abstract-
     verified_mode = serializers.DictField()
     show_calculator = serializers.BooleanField()
     original_user_is_staff = serializers.BooleanField()
+    can_view_legacy_courseware = serializers.BooleanField()
     is_staff = serializers.BooleanField()
     can_load_courseware = serializers.DictField()
     notes = serializers.DictField()
diff --git a/openedx/core/djangoapps/courseware_api/views.py b/openedx/core/djangoapps/courseware_api/views.py
index a707de14c9..7b62518cd5 100644
--- a/openedx/core/djangoapps/courseware_api/views.py
+++ b/openedx/core/djangoapps/courseware_api/views.py
@@ -33,7 +33,11 @@ from lms.djangoapps.courseware.courses import check_course_access
 from lms.djangoapps.courseware.masquerade import setup_masquerade
 from lms.djangoapps.courseware.module_render import get_module_by_usage_id
 from lms.djangoapps.courseware.tabs import get_course_tab_list
-from lms.djangoapps.courseware.toggles import courseware_mfe_is_visible, course_exit_page_is_active
+from lms.djangoapps.courseware.toggles import (
+    courseware_legacy_is_visible,
+    courseware_mfe_is_visible,
+    course_exit_page_is_active
+)
 from lms.djangoapps.courseware.views.views import get_cert_data
 from lms.djangoapps.grades.api import CourseGradeFactory
 from lms.djangoapps.verify_student.services import IDVerificationService
@@ -93,6 +97,10 @@ class CoursewareMeta:
         self.is_staff = has_access(self.effective_user, 'staff', self.overview).has_access
         self.enrollment_object = CourseEnrollment.get_enrollment(self.effective_user, self.course_key,
                                                                  select_related=['celebration', 'user__celebration'])
+        self.can_view_legacy_courseware = courseware_legacy_is_visible(
+            course_key=course_key,
+            is_global_staff=self.original_user_is_global_staff,
+        )
 
     def __getattr__(self, name):
         return getattr(self.overview, name)
@@ -386,6 +394,7 @@ class CoursewareInformation(RetrieveAPIView):
         * can_load_course: Whether the user can view the course (AccessResponse object)
         * is_staff: Whether the effective user has staff access to the course
         * original_user_is_staff: Whether the original user has staff access to the course
+        * can_view_legacy_courseware: Indicates whether the user is able to see the legacy courseware view
         * user_has_passing_grade: Whether or not the effective user's grade is equal to or above the courses minimum
             passing grade
         * course_exit_page_is_active: Flag for the learning mfe on whether or not the course exit page should display