Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Course Blocks API: Return 403 instead of 500 for unknown courses (#25906)

Browse Source 
Anonymous users (like crawlers) requesting non-existent courses
should get 403, just like logged-in users do. They instead raised
a ValueError.
This commit is contained in:
Kyle McCormick
2020-12-17 18:13:51 -05:00
committed by GitHub
parent 6e1e1ddba8
commit 7f59688f9b
2 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lms/djangoapps/course_api/blocks/permissions.py
View File

@@ -8,6 +8,7 @@ from lms.djangoapps.courseware.access import has_access
from lms.djangoapps.courseware.access_response import AccessResponse from lms.djangoapps.courseware.access_response import AccessResponse
from lms.djangoapps.courseware.access_utils import ACCESS_DENIED, ACCESS_GRANTED, check_public_access from lms.djangoapps.courseware.access_utils import ACCESS_DENIED, ACCESS_GRANTED, check_public_access
from lms.djangoapps.courseware.courses import get_course from lms.djangoapps.courseware.courses import get_course
from openedx.core.djangoapps.content.course_overviews.models import CourseOverview
from common.djangoapps.student.models import CourseEnrollment from common.djangoapps.student.models import CourseEnrollment
from common.djangoapps.student.roles import CourseStaffRole from common.djangoapps.student.roles import CourseStaffRole
from xmodule.course_module import COURSE_VISIBILITY_PUBLIC from xmodule.course_module import COURSE_VISIBILITY_PUBLIC
@@ -39,15 +40,14 @@ def can_access_self_blocks(requesting_user: User, course_key: CourseKey) -> Acce
) )
if user_is_enrolled_or_staff: if user_is_enrolled_or_staff:
return ACCESS_GRANTED return ACCESS_GRANTED
try: return is_course_public(course_key)
return is_course_public(course_key)
except ValueError:
return ACCESS_DENIED
def is_course_public(course_key: CourseKey) -> AccessResponse: def is_course_public(course_key: CourseKey) -> AccessResponse:
""" """
This checks if a course is publicly accessible or not. This checks if a course is publicly accessible or not.
""" """
if not CourseOverview.course_exists(course_key):
return ACCESS_DENIED
course = get_course(course_key, depth=0) course = get_course(course_key, depth=0)
return check_public_access(course, [COURSE_VISIBILITY_PUBLIC]) return check_public_access(course, [COURSE_VISIBILITY_PUBLIC])

7
lms/djangoapps/course_api/blocks/tests/test_views.py
View File

@@ -395,7 +395,7 @@ class TestBlocksView(SharedModuleStoreTestCase):
self.verify_response_with_requested_fields(response) self.verify_response_with_requested_fields(response)
class TestBlocksInCourseView(TestBlocksView): class TestBlocksInCourseView(TestBlocksView): # pylint: disable=test-inherits-tests
""" """
Test class for BlocksInCourseView Test class for BlocksInCourseView
""" """
@@ -414,3 +414,8 @@ class TestBlocksInCourseView(TestBlocksView):
def test_non_existent_course(self): def test_non_existent_course(self):
self.verify_response(403, params={'course_id': str(CourseLocator('non', 'existent', 'course'))}) self.verify_response(403, params={'course_id': str(CourseLocator('non', 'existent', 'course'))})
def test_non_existent_course_anonymous(self):
self.client.logout()
self.query_params['username'] = ''
self.verify_response(403, params={'course_id': str(CourseLocator('non', 'existent', 'course'))})