From f9c39375cc97e898d2fa43527a222c4330cd513c Mon Sep 17 00:00:00 2001 From: connorhaugh <49422820+connorhaugh@users.noreply.github.com> Date: Thu, 27 Oct 2022 10:12:28 -0400 Subject: [PATCH] fix: studio edit permissions (#257) Per 12. Make your fix public. I am merging this fix. --- cms/djangoapps/contentstore/views/component.py | 6 ++++++ cms/djangoapps/contentstore/views/tests/test_item.py | 10 ++++++++++ 2 files changed, 16 insertions(+) diff --git a/cms/djangoapps/contentstore/views/component.py b/cms/djangoapps/contentstore/views/component.py index da15dc5c84..b93de39bd2 100644 --- a/cms/djangoapps/contentstore/views/component.py +++ b/cms/djangoapps/contentstore/views/component.py @@ -538,6 +538,12 @@ def component_handler(request, usage_key_string, handler, suffix=''): """ usage_key = UsageKey.from_string(usage_key_string) + # Addendum: + # TNL 101-62 studio write permission is also checked for editing content. + + if handler == 'submit_studio_edits' and not has_course_author_access(request.user, usage_key.course_key): + raise PermissionDenied("No studio write Permissions") + # Let the module handle the AJAX req = django_to_webob_request(request) diff --git a/cms/djangoapps/contentstore/views/tests/test_item.py b/cms/djangoapps/contentstore/views/tests/test_item.py index b55e19c4f2..4e9118b779 100644 --- a/cms/djangoapps/contentstore/views/tests/test_item.py +++ b/cms/djangoapps/contentstore/views/tests/test_item.py @@ -8,6 +8,7 @@ from unittest.mock import Mock, PropertyMock, patch import ddt from django.conf import settings +from django.core.exceptions import PermissionDenied from django.http import Http404 from django.test import TestCase from django.test.client import RequestFactory @@ -2142,6 +2143,15 @@ class TestComponentHandler(TestCase): with self.assertRaises(Http404): component_handler(self.request, self.usage_key_string, 'invalid_handler') + def test_submit_studio_edits_checks_author_permission(self): + with self.assertRaises(PermissionDenied): + with patch( + 'common.djangoapps.student.auth.has_course_author_access', + return_value=False + ) as mocked_has_course_author_access: + component_handler(self.request, self.usage_key_string, 'submit_studio_edits') + assert mocked_has_course_author_access.called is True + @ddt.data('GET', 'POST', 'PUT', 'DELETE') def test_request_method(self, method):