Switch generate_certificate_exceptions over to using a StaffAccessRule with query checking

lms/djangoapps/instructor/permissions.py

@@ -12,6 +12,7 @@ EDIT_COURSE_ACCESS = 'instructor.edit_course_access'
 EDIT_FORUM_ROLES = 'instructor.edit_forum_roles'
 EDIT_INVOICE_VALIDATION = 'instructor.edit_invoice_validation'
 ENABLE_CERTIFICATE_GENERATION = 'instructor.enable_certificate_generation'
+GENERATE_CERTIFICATE_EXCEPTIONS = 'instructor.generate_certificate_exceptions'
 GENERATE_BULK_CERTIFICATE_EXCEPTIONS = 'instructor.generate_bulk_certificate_exceptions'
 GIVE_STUDENT_EXTENSION = 'instructor.give_student_extension'
 VIEW_ISSUED_CERTIFICATES = 'instructor.view_issued_certificates'
@@ -23,6 +24,7 @@ perms[EDIT_COURSE_ACCESS] = HasAccessRule('instructor')
 perms[EDIT_FORUM_ROLES] = HasAccessRule('staff')
 perms[EDIT_INVOICE_VALIDATION] = HasAccessRule('staff')
 perms[ENABLE_CERTIFICATE_GENERATION] = is_staff
+perms[GENERATE_CERTIFICATE_EXCEPTIONS] = is_staff
 perms[GENERATE_BULK_CERTIFICATE_EXCEPTIONS] = is_staff
 perms[GIVE_STUDENT_EXTENSION] = HasAccessRule('staff')
 perms[VIEW_ISSUED_CERTIFICATES] = HasAccessRule('staff')

lms/djangoapps/instructor/views/api.py

@@ -155,6 +155,7 @@ from ..permissions import (
     EDIT_FORUM_ROLES,
     EDIT_INVOICE_VALIDATION,
     ENABLE_CERTIFICATE_GENERATION,
+    GENERATE_CERTIFICATE_EXCEPTIONS,
     GENERATE_BULK_CERTIFICATE_EXCEPTIONS,
     GIVE_STUDENT_EXTENSION,
     VIEW_ISSUED_CERTIFICATES,
@@ -3305,7 +3306,7 @@ def get_student(username_or_email, course_key):
 @transaction.non_atomic_requests
 @ensure_csrf_cookie
 @cache_control(no_cache=True, no_store=True, must_revalidate=True)
-@require_global_staff
+@require_course_permission(GENERATE_CERTIFICATE_EXCEPTIONS)
 @require_POST
 @common_exceptions_400
 def generate_certificate_exceptions(request, course_id, generate_for=None):