From b8659e084ce7edb845bc2f52e7c11597e8773d0e Mon Sep 17 00:00:00 2001 From: Victor Shnayder Date: Fri, 24 Aug 2012 16:30:16 -0400 Subject: [PATCH 1/2] Set request.user = student when impersonating a student * currently only in the staff view of student progress page [Fix #34379687] --- lms/djangoapps/courseware/views.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lms/djangoapps/courseware/views.py b/lms/djangoapps/courseware/views.py index 83957c17d7..50b7a2d645 100644 --- a/lms/djangoapps/courseware/views.py +++ b/lms/djangoapps/courseware/views.py @@ -325,14 +325,17 @@ def progress(request, course_id, student_id=None): raise Http404 student = User.objects.get(id=int(student_id)) + # NOTE: To make sure impersonation by instructor works, use + # student instead of request.user in the rest of the function. + student_module_cache = StudentModuleCache.cache_for_descriptor_descendents( - course_id, request.user, course) - course_module = get_module(request.user, request, course.location, + course_id, student, course) + course_module = get_module(student, request, course.location, student_module_cache, course_id) courseware_summary = grades.progress_summary(student, course_module, course.grader, student_module_cache) - grade_summary = grades.grade(request.user, request, course, student_module_cache) + grade_summary = grades.grade(student, request, course, student_module_cache) context = {'course': course, 'courseware_summary': courseware_summary, From 7a6fa1dd41a5f6b8b10a5b65f76edbaa59457da9 Mon Sep 17 00:00:00 2001 From: Victor Shnayder Date: Fri, 24 Aug 2012 16:52:19 -0400 Subject: [PATCH 2/2] Fix access control for impersonation case - only relevant in tests due to start dates - still irritatingly intricate logic... --- lms/djangoapps/courseware/module_render.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lms/djangoapps/courseware/module_render.py b/lms/djangoapps/courseware/module_render.py index da9828fb12..8a96d2533f 100644 --- a/lms/djangoapps/courseware/module_render.py +++ b/lms/djangoapps/courseware/module_render.py @@ -143,8 +143,9 @@ def get_module(user, request, location, student_module_cache, course_id, positio exists. Arguments: - - user : current django User - - request : current django HTTPrequest + - user : User for whom we're getting the module + - request : current django HTTPrequest -- used in particular for auth + (This is important e.g. for prof impersonation of students in progress view) - location : A Location-like object identifying the module to load - student_module_cache : a StudentModuleCache - course_id : the course_id in the context of which to load module @@ -170,7 +171,9 @@ def _get_module(user, request, location, student_module_cache, course_id, positi descriptor = modulestore().get_instance(course_id, location) # Short circuit--if the user shouldn't have access, bail without doing any work - if not has_access(user, descriptor, 'load'): + # NOTE: Do access check on request.user -- that's who actually needs access (e.g. could be prof + # impersonating a user) + if not has_access(request.user, descriptor, 'load'): return None #TODO Only check the cache if this module can possibly have state