refactor to add access control to already_existing access control routines in access.py

lms/djangoapps/courseware/access.py

@@ -114,6 +114,7 @@ def _has_access_course_desc(user, course, action):
     Valid actions:
 
     'load' -- load the courseware, see inside the course
+    'load_forum' -- can load and contribute to the forums (one access level for now)
     'enroll' -- enroll.  Checks for enrollment window,
                   ACCESS_REQUIRE_STAFF_FOR_COURSE,
     'see_exists' -- can see that the course exists.
@@ -128,6 +129,13 @@ def _has_access_course_desc(user, course, action):
         # delegate to generic descriptor check to check start dates
         return _has_access_descriptor(user, course, 'load')
 
+    def can_load_forum():
+        """
+        Can this user access the forums in this course?
+        """
+        return (CourseEnrollment.is_enrolled(request.user, course_id) or \
+            _has_staff_access_to_descriptor(user, course)
+
     def can_enroll():
         """
         First check if restriction of enrollment by login method is enabled, both
@@ -193,6 +201,7 @@ def _has_access_course_desc(user, course, action):
 
     checkers = {
         'load': can_load,
+        'load_forum': can_load_forum,
         'enroll': can_enroll,
         'see_exists': see_exists,
         'staff': lambda: _has_staff_access_to_descriptor(user, course),

lms/djangoapps/django_comment_client/forum/views.py

@@ -109,7 +109,7 @@ def inline_discussion(request, course_id, discussion_id):
     """
     Renders JSON for DiscussionModules
     """
-    course = get_course_with_access(request.user, course_id, 'load')
+    course = get_course_with_access(request.user, course_id, 'load_forum')
 
     try:
         threads, query_params = get_threads(request, course_id, discussion_id, per_page=INLINE_THREADS_PER_PAGE)
@@ -169,13 +169,8 @@ def forum_form_discussion(request, course_id):
     """
     Renders the main Discussion page, potentially filtered by a search query
     """
-    if not CourseEnrollment.is_enrolled(request.user, course_id) and \
-       not has_access(request.user, course_id, 'staff'):
-        access_violation_msg = "Unenrolled user {} tried to access forum for {}"
-        log.warning(access_violation_msg.format(request.user, course_id))
-        raise Http404
 
-    course = get_course_with_access(request.user, course_id, 'load')
+    course = get_course_with_access(request.user, course_id, 'load_forum')
     category_map = utils.get_discussion_category_map(course)
 
     try:
@@ -245,7 +240,7 @@ def forum_form_discussion(request, course_id):
 
 @login_required
 def single_thread(request, course_id, discussion_id, thread_id):
-    course = get_course_with_access(request.user, course_id, 'load')
+    course = get_course_with_access(request.user, course_id, 'load_forum')
     cc_user = cc.User.from_django_user(request.user)
     user_info = cc_user.to_dict()
 
@@ -280,7 +275,7 @@ def single_thread(request, course_id, discussion_id, thread_id):
             log.error("Error loading single thread.")
             raise Http404
 
-        course = get_course_with_access(request.user, course_id, 'load')
+        course = get_course_with_access(request.user, course_id, 'load_forum')
 
         for thread in threads:
             courseware_context = get_courseware_context(thread, course)
@@ -340,7 +335,7 @@ def single_thread(request, course_id, discussion_id, thread_id):
 @login_required
 def user_profile(request, course_id, user_id):
     #TODO: Allow sorting?
-    course = get_course_with_access(request.user, course_id, 'load')
+    course = get_course_with_access(request.user, course_id, 'load_forum')
     try:
         profiled_user = cc.User(id=user_id, course_id=course_id)
 
@@ -381,7 +376,7 @@ def user_profile(request, course_id, user_id):
 
 
 def followed_threads(request, course_id, user_id):
-    course = get_course_with_access(request.user, course_id, 'load')
+    course = get_course_with_access(request.user, course_id, 'load_forum')
     try:
         profiled_user = cc.User(id=user_id, course_id=course_id)