fix: studio edit permissions (#257)

Per 12. Make your fix public. I am merging this fix.
2022-10-27 10:12:28 -04:00
parent c2506ea8d0
commit f9c39375cc
2 changed files with 16 additions and 0 deletions
--- a/cms/djangoapps/contentstore/views/component.py
+++ b/cms/djangoapps/contentstore/views/component.py
@@ -538,6 +538,12 @@ def component_handler(request, usage_key_string, handler, suffix=''):
    """
    usage_key = UsageKey.from_string(usage_key_string)

+    # Addendum:
+    # TNL 101-62 studio write permission is also checked for editing content.
+
+    if handler == 'submit_studio_edits' and not has_course_author_access(request.user, usage_key.course_key):
+        raise PermissionDenied("No studio write Permissions")
+
    # Let the module handle the AJAX
    req = django_to_webob_request(request)

--- a/cms/djangoapps/contentstore/views/tests/test_item.py
+++ b/cms/djangoapps/contentstore/views/tests/test_item.py
@@ -8,6 +8,7 @@ from unittest.mock import Mock, PropertyMock, patch

 import ddt
 from django.conf import settings
+from django.core.exceptions import PermissionDenied
 from django.http import Http404
 from django.test import TestCase
 from django.test.client import RequestFactory
@@ -2142,6 +2143,15 @@ class TestComponentHandler(TestCase):
        with self.assertRaises(Http404):
            component_handler(self.request, self.usage_key_string, 'invalid_handler')

+    def test_submit_studio_edits_checks_author_permission(self):
+        with self.assertRaises(PermissionDenied):
+            with patch(
+                'common.djangoapps.student.auth.has_course_author_access',
+                return_value=False
+            ) as mocked_has_course_author_access:
+                component_handler(self.request, self.usage_key_string, 'submit_studio_edits')
+                assert mocked_has_course_author_access.called is True
+
    @ddt.data('GET', 'POST', 'PUT', 'DELETE')
    def test_request_method(self, method):