Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ecdf774e75dbb0f0fe84494de18dfdf946c14552
edx-platform/openedx/core/djangoapps/discussions/permissions.py
Awais Jibran cfd78455df fix: update discussion API permissions (#29127)
2021-10-27 21:05:34 +05:00

59 lines
2.0 KiB
Python
Raw Blame History

"""
API library for Django REST Framework permissions-oriented workflows
"""
from rest_framework.exceptions import PermissionDenied
from rest_framework.permissions import BasePermission
from common.djangoapps.student.roles import CourseStaffRole, GlobalStaff, CourseInstructorRole
from lms.djangoapps.discussion.django_comment_client.utils import has_discussion_privileges
from openedx.core.lib.api.view_utils import validate_course_key
DEFAULT_MESSAGE = "You're not authorized to perform this operation."
PERMISSION_MESSAGES = {
"change_provider": "Must be global staff to change discussion provider after the course has started.",
}
class IsStaffOrCourseTeam(BasePermission):
"""
Check if user is global or course staff
Permission that checks to see if the user is global staff, course
staff, course admin, or has discussion privileges. If none of those conditions are
met, HTTP403 is returned.
"""
def has_permission(self, request, view):
course_key_string = view.kwargs.get('course_key_string')
course_key = validate_course_key(course_key_string)
if GlobalStaff().has_user(request.user):
return True
return (
CourseInstructorRole(course_key).has_user(request.user) or
CourseStaffRole(course_key).has_user(request.user) or
has_discussion_privileges(request.user, course_key)
)
def user_permissions_for_course(course, user):
"""
Return the user's permissions over the discussion configuration of the course.
"""
return {
"change_provider": not course.has_started() or GlobalStaff().has_user(user),
}
def check_course_permissions(course, user, permission):
"""
Check the user has permissions for the operation over the course configuration.
Raises PermissionDenied if the user does not have permission
"""
permissions = user_permissions_for_course(course, user)
granted = permissions.get(permission)
if not granted:
raise PermissionDenied(PERMISSION_MESSAGES.get(permission, DEFAULT_MESSAGE))
Reference in New Issue View Git Blame Copy Permalink