Merge pull request #20862 from cpennington/mobile-fbe-fields

Allow a limited subset of fields in the Course Block View for blocks …
2019-06-21 12:25:56 -04:00
parent a787cd51cf 093fc9f68a
commit b14244fe01
2 changed files with 34 additions and 10 deletions
--- a/lms/djangoapps/course_api/blocks/serializers.py
+++ b/lms/djangoapps/course_api/blocks/serializers.py
@@ -8,6 +8,25 @@ from rest_framework.reverse import reverse
 from .transformers import SUPPORTED_FIELDS


+# This lists the names of all fields that are allowed
+# to be show to users who do not have access to a particular piece
+# of content
+FIELDS_ALLOWED_IN_AUTH_DENIED_CONTENT = [
+    "display_name",
+    "block_id",
+    "student_view_url",
+    "student_view_multi_device",
+    "lms_web_url",
+    "type",
+    "id",
+    "block_counts",
+    "graded",
+    "descendants",
+    "authorization_denial_reason",
+    "authorization_denial_message",
+]
+
+
 class BlockSerializer(serializers.Serializer):  # pylint: disable=abstract-method
    """
    Serializer for single course block
@@ -40,15 +59,6 @@ class BlockSerializer(serializers.Serializer):  # pylint: disable=abstract-metho
        authorization_denial_reason = block_structure.get_xblock_field(block_key, 'authorization_denial_reason')
        authorization_denial_message = block_structure.get_xblock_field(block_key, 'authorization_denial_message')

-        if authorization_denial_reason and authorization_denial_message:
-            data = {
-                'id': unicode(block_key),
-                'block_id': unicode(block_key.block_id),
-                'authorization_denial_reason': authorization_denial_reason,
-                'authorization_denial_message': authorization_denial_message
-            }
-            return data
-
        data = {
            'id': unicode(block_key),
            'block_id': unicode(block_key.block_id),
@@ -89,6 +99,13 @@ class BlockSerializer(serializers.Serializer):  # pylint: disable=abstract-metho
            if children:
                data['children'] = [unicode(child) for child in children]

+        if authorization_denial_reason and authorization_denial_message:
+            data['authorization_denial_reason'] = authorization_denial_reason
+            data['authorization_denial_message'] = authorization_denial_message
+            for field in data.keys():  # pylint: disable=consider-iterating-dictionary
+                if field not in FIELDS_ALLOWED_IN_AUTH_DENIED_CONTENT:
+                    del data[field]
+
        return data


--- a/openedx/features/content_type_gating/tests/test_access.py
+++ b/openedx/features/content_type_gating/tests/test_access.py
@@ -135,12 +135,19 @@ def _assert_block_is_gated(block, is_gated, user, course, request_factory, has_u

    fake_request = request_factory.get('')
    with patch('lms.djangoapps.course_api.blocks.api.is_request_from_mobile_app', return_value=True):
-        blocks = get_blocks(fake_request, course.location, user=user)
+        requested_fields = ['display_name', 'block_id', 'student_view_url', 'student_view_data']
+        blocks = get_blocks(fake_request, course.location, user=user, requested_fields=requested_fields, student_view_data=['html'])
        course_api_block = blocks['blocks'][str(block.location)]
        if is_gated:
            assert 'authorization_denial_reason' in course_api_block
+            assert "display_name" in course_api_block
+            assert "block_id" in course_api_block
+            assert "student_view_url" in course_api_block
+            assert "student_view_data" not in course_api_block
        else:
            assert 'authorization_denial_reason' not in course_api_block
+            if block.category == 'html':
+                assert 'student_view_data' in course_api_block


 def _assert_block_is_empty(block, user_id, course, request_factory):