Stop using authz functions to change user groups

They contain too much incorrect permission checking
2013-08-01 11:24:40 -04:00
parent a1f43fa6fd
commit 607c06cba8
1 changed files with 19 additions and 16 deletions
--- a/cms/djangoapps/contentstore/views/user.py
+++ b/cms/djangoapps/contentstore/views/user.py
@@ -16,10 +16,10 @@ from xmodule.modulestore import Location
 from contentstore.utils import get_lms_link_for_item
 from util.json_request import JsonResponse
 from auth.authz import (
-    STAFF_ROLE_NAME, INSTRUCTOR_ROLE_NAME,
-    add_user_to_course_group, remove_user_from_course_group,
-    get_course_groupname_for_role)
-from course_creators.views import get_course_creator_status, add_user_with_status_unrequested, user_requested_access
+    STAFF_ROLE_NAME, INSTRUCTOR_ROLE_NAME, get_course_groupname_for_role)
+from course_creators.views import (
+    get_course_creator_status, add_user_with_status_unrequested,
+    user_requested_access)

 from .access import has_access

@@ -154,16 +154,17 @@ def course_team_user(request, org, course, name, email):
        return JsonResponse(msg, 400)

    # make sure that the role groups exist
-    staff_groupname = get_course_groupname_for_role(location, "staff")
-    staff_group, __ = Group.objects.get_or_create(name=staff_groupname)
-    inst_groupname = get_course_groupname_for_role(location, "instructor")
-    inst_group, __ = Group.objects.get_or_create(name=inst_groupname)
+    groups = {}
+    for role in roles:
+        groupname = get_course_groupname_for_role(location, role)
+        group, __ = Group.objects.get_or_create(name=groupname)
+        groups[role] = group

    if request.method == "DELETE":
        # remove all roles in this course from this user: but fail if the user
        # is the last instructor in the course team
-        instructors = set(inst_group.user_set.all())
-        staff = set(staff_group.user_set.all())
+        instructors = set(groups["instructor"].user_set.all())
+        staff = set(groups["staff"].user_set.all())
        if user in instructors and len(instructors) == 1:
            msg = {
                "error": _("You may not remove the last instructor from a course")
@@ -171,9 +172,9 @@ def course_team_user(request, org, course, name, email):
            return JsonResponse(msg, 400)

        if user in instructors:
-            user.groups.remove(inst_group)
+            user.groups.remove(groups["instructor"])
        if user in staff:
-            user.groups.remove(staff_group)
+            user.groups.remove(groups["staff"])
        user.save()
        return JsonResponse()

@@ -198,19 +199,21 @@ def course_team_user(request, org, course, name, email):
                "error": _("Only instructors may create other instructors")
            }
            return JsonResponse(msg, 400)
-        add_user_to_course_group(request.user, user, location, role)
+        user.groups.add(groups["instructor"])
+        user.save()
    elif role == "staff":
        # if we're trying to downgrade a user from "instructor" to "staff",
        # make sure we have at least one other instructor in the course team.
-        instructors = set(inst_group.user_set.all())
+        instructors = set(groups["instructor"].user_set.all())
        if user in instructors:
            if len(instructors) == 1:
                msg = {
                    "error": _("You may not remove the last instructor from a course")
                }
                return JsonResponse(msg, 400)
-            remove_user_from_course_group(request.user, user, location, "instructor")
-        add_user_to_course_group(request.user, user, location, role)
+            user.groups.remove(groups["instructor"])
+        user.groups.add(groups["staff"])
+        user.save()
    return JsonResponse()