Merge pull request #34399 from raccoongang/fix-cohort-api-permissions

fix: cohorts api permissions
2025-07-28 09:54:44 -04:00
parent 24181468ec 1ee0f8e225
commit e389addd0a
1 changed files with 7 additions and 5 deletions
--- a/openedx/core/djangoapps/course_groups/permissions.py
+++ b/openedx/core/djangoapps/course_groups/permissions.py
@@ -8,7 +8,7 @@ from rest_framework import permissions
 from openedx.core.djangoapps.django_comment_common.models import (
    FORUM_ROLE_ADMINISTRATOR, FORUM_ROLE_COMMUNITY_TA, FORUM_ROLE_MODERATOR
 )
-from common.djangoapps.student.roles import GlobalStaff
+from common.djangoapps.student.roles import CourseStaffRole, GlobalStaff, CourseInstructorRole
 from lms.djangoapps.discussion.django_comment_client.utils import get_user_role_names


@@ -19,15 +19,17 @@ class IsStaffOrAdmin(permissions.BasePermission):

    def has_permission(self, request, view):
        """Returns true if the user is admin or staff and request method is GET."""
+        if GlobalStaff().has_user(request.user) or request.user.is_superuser:
+            return True
        course_key = CourseKey.from_string(view.kwargs.get('course_key_string'))
        user_roles = get_user_role_names(request.user, course_key)
-        is_user_staff = bool(user_roles & {
+        has_discussion_privileges = bool(user_roles & {
            FORUM_ROLE_ADMINISTRATOR,
            FORUM_ROLE_MODERATOR,
            FORUM_ROLE_COMMUNITY_TA,
        })
        return (
-            GlobalStaff().has_user(request.user) or
-            request.user.is_staff or
-            is_user_staff and request.method == "GET"
+            CourseInstructorRole(course_key).has_user(request.user) or
+            CourseStaffRole(course_key).has_user(request.user) or
+            has_discussion_privileges and request.method == "GET"
        )