From ed2febe44ea0109fcddcf3626458dc7522e363e2 Mon Sep 17 00:00:00 2001
From: Chris Dodge <cdodge@edx.org>
Date: Tue, 16 Oct 2012 13:17:41 -0400
Subject: [PATCH] fix 403 error when editors visit page (make read only). Don't
 allow user to remove him/herself. Rewire up the remove user callback.

---
 cms/djangoapps/contentstore/views.py | 6 ++++--
 cms/templates/manage_users.html      | 8 +++++++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/cms/djangoapps/contentstore/views.py b/cms/djangoapps/contentstore/views.py
index d95322f2f8..28cb82c608 100644
--- a/cms/djangoapps/contentstore/views.py
+++ b/cms/djangoapps/contentstore/views.py
@@ -731,7 +731,7 @@ This view will return all CMS users who are editors for the specified course
 def manage_users(request, location):
     
     # check that logged in user has permissions to this item
-    if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME):
+    if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME) and not has_access(request.user, location, role=EDITOR_ROLE_NAME):
         raise PermissionDenied()
 
     course_module = modulestore().get_item(location)
@@ -741,7 +741,9 @@ def manage_users(request, location):
         'context_course': course_module,
         'staff': get_users_in_course_group_by_role(location, STAFF_ROLE_NAME),
         'add_user_postback_url' : reverse('add_user', args=[location]).rstrip('/'),
-        'remove_user_postback_url' : reverse('remove_user', args=[location]).rstrip('/')
+        'remove_user_postback_url' : reverse('remove_user', args=[location]).rstrip('/'),
+        'allow_actions' : has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME),
+        'request_user_id' : request.user.id
     })
     
 
diff --git a/cms/templates/manage_users.html b/cms/templates/manage_users.html
index 3adfa42a16..80cb1256fb 100644
--- a/cms/templates/manage_users.html
+++ b/cms/templates/manage_users.html
@@ -16,20 +16,26 @@
           <span class="plus-icon"></span>New User
         </a>
       </div>
+      %if allow_actions:
       <div class="new-user-form">
         <label>email: </label><input type="text" id="email" class="email-input" autocomplete="off" placeholder="email@example.com">
         <a href="#" id="add_user" class="add-button">save</a>
         <a href="#" class="cancel-button">cancel</a>
       </div>
+      %endif
       <div>
         <ol class="user-list">
           % for user in staff:
           <li>
             <span class="user-name">${user.username}</span>
             <span class="user-email">${user.email}</span>
+            %if allow_actions :
             <div class="item-actions">
-              <a href="#" class="delete-button"><span class="delete-icon"></span></a>
+              %if request_user_id != user.id:
+              <a href="#" class="delete-button remove-user" data-id="${user.email}"><span class="delete-icon"></span></a>
+              %endif
             </div>
+            %endif
           </li>
           % endfor
         </ol>