Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #15600 from edx/mjevtic/LEARNER-442

Browse Source 
[LEARNER-1104] Allow staff members to view enrollment for any user
This commit is contained in:
Marko Jevtić
2017-07-19 15:50:33 +02:00
committed by GitHub
parent d384c6dfd2 2a7b41673b
commit 9cf2d7ea5a
2 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
common/djangoapps/enrollment/tests/test_views.py
View File

@@ -385,7 +385,7 @@ class EnrollmentTest(EnrollmentTestMixin, ModuleStoreTestCase, APITestCase, Ente
def test_user_does_not_match_param(self):
"""
The view should return status 404 if the enrollment username does not match the username of the user
making the request, unless the request is made by a superuser or with a server API key.
making the request, unless the request is made by a staff user or with a server API key.
"""
CourseModeFactory.create(
course_id=self.course.id,
@@ -403,9 +403,9 @@ class EnrollmentTest(EnrollmentTestMixin, ModuleStoreTestCase, APITestCase, Ente
response = self.client.get(url, **{'HTTP_X_EDX_API_KEY': self.API_KEY})
self.assertEqual(response.status_code, status.HTTP_200_OK)
# Verify superusers have access to this endpoint
superuser = UserFactory.create(password=self.PASSWORD, is_superuser=True)
self.client.login(username=superuser.username, password=self.PASSWORD)
# Verify staff have access to this endpoint
staff_user = UserFactory.create(password=self.PASSWORD, is_staff=True)
self.client.login(username=staff_user.username, password=self.PASSWORD)
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_200_OK)

2
common/djangoapps/enrollment/views.py
View File

@@ -167,7 +167,7 @@ class EnrollmentView(APIView, ApiKeyPermissionMixIn):
# TODO Implement proper permissions
if request.user.username != username and not self.has_api_key_permissions(request) \
and not request.user.is_superuser:
and not request.user.is_staff:
# Return a 404 instead of a 403 (Unauthorized). If one user is looking up
# other users, do not let them deduce the existence of an enrollment.
return Response(status=status.HTTP_404_NOT_FOUND)