From 6ce7a60cf753450113ac6ef49e0613e92ae42ccc Mon Sep 17 00:00:00 2001 From: Sven Marnach Date: Tue, 15 Sep 2015 16:35:46 +0200 Subject: [PATCH] Clarify docstring of the enrollment list endpoint of the Enrollment API. --- common/djangoapps/enrollment/views.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/common/djangoapps/enrollment/views.py b/common/djangoapps/enrollment/views.py index 99b64fffac..b3d084203e 100644 --- a/common/djangoapps/enrollment/views.py +++ b/common/djangoapps/enrollment/views.py @@ -459,6 +459,13 @@ class EnrollmentListView(APIView, ApiKeyPermissionMixIn): Returns a list for the currently logged in user, or for the user named by the 'user' GET parameter. If the username does not match the currently logged in user, only courses the requesting user has staff permissions for are listed. + + Only staff or instructor permissions on individual courses are taken into account when + deciding whether the requesting user is permitted to see a particular enrollment, i.e. + organizational staff access doesn't grant permission to see the enrollments in all courses + of the organization. This may change in the future. + + However, users with global staff access can see all enrollments of all students. """ username = request.GET.get('user', request.user.username) try: