Skip to content
Snippets Groups Projects
Unverified Commit 0a39e6db authored by Dillon Dumesnil's avatar Dillon Dumesnil Committed by GitHub
Browse files

Merge pull request #23574 from edx/ddumesnil/lms-api-staff 

Update the LMS courses API for staff permissions
parents 747a0e44 78a1b835
No related merge requests found
Hide whitespace changes
Inline Side-by-side
lms/djangoapps/course_api/api.py
+ 5
1
View file @ 0a39e6db
......@@ -38,9 +38,13 @@ def get_effective_user(requesting_user, target_username):
"""
if target_username == requesting_user.username:
return requesting_user
# This is the default behavior if username is not specified as a query parameter
# which is why the is_staff check is happening inside of here.
elif target_username == '':
if requesting_user.is_staff:
return requesting_user
return AnonymousUser()
elif can_view_courses_for_username(requesting_user, target_username):
elif target_username and can_view_courses_for_username(requesting_user, target_username):
return User.objects.get(username=target_username)
else:
raise PermissionDenied()
......
lms/djangoapps/course_api/tests/test_api.py
+ 19
7
View file @ 0a39e6db
......@@ -46,7 +46,7 @@ class CourseDetailTestMixin(CourseApiTestMixin):
"""
ENABLED_SIGNALS = ['course_published']
def _make_api_call(self, requesting_user, target_user, course_key):
def _make_api_call(self, requesting_user, target_username, course_key):
"""
Call the `course_detail` api endpoint to get information on the course
identified by `course_key`.
......@@ -54,7 +54,7 @@ class CourseDetailTestMixin(CourseApiTestMixin):
request = Request(self.request_factory.get('/'))
request.user = requesting_user
with check_mongo_calls(0):
return course_detail(request, target_user.username, course_key)
return course_detail(request, target_username, course_key)
class TestGetCourseDetail(CourseDetailTestMixin, SharedModuleStoreTestCase):
......@@ -71,25 +71,37 @@ class TestGetCourseDetail(CourseDetailTestMixin, SharedModuleStoreTestCase):
cls.staff_user = cls.create_user('staff', is_staff=True)
def test_get_existing_course(self):
course = self._make_api_call(self.honor_user, self.honor_user, self.course.id)
course = self._make_api_call(self.honor_user, self.honor_user.username, self.course.id)
self.verify_course(course)
def test_get_existing_course_as_anonymous_user(self):
course = self._make_api_call(self.honor_user, '', self.course.id)
self.verify_course(course)
def test_get_nonexistent_course(self):
course_key = CourseKey.from_string(u'edX/toy/nope')
with self.assertRaises(Http404):
self._make_api_call(self.honor_user, self.honor_user, course_key)
self._make_api_call(self.honor_user, self.honor_user.username, course_key)
def test_hidden_course_for_honor(self):
with self.assertRaises(Http404):
self._make_api_call(self.honor_user, self.honor_user, self.hidden_course.id)
self._make_api_call(self.honor_user, self.honor_user.username, self.hidden_course.id)
def test_hidden_course_for_staff(self):
course = self._make_api_call(self.staff_user, self.staff_user, self.hidden_course.id)
course = self._make_api_call(self.staff_user, self.staff_user.username, self.hidden_course.id)
self.verify_course(course, course_id=u'edX/hidden/2012_Fall')
def test_hidden_course_for_staff_no_target_username(self):
course = self._make_api_call(self.staff_user, '', self.hidden_course.id)
self.verify_course(course, course_id=u'edX/hidden/2012_Fall')
def test_hidden_course_for_staff_as_honor(self):
with self.assertRaises(Http404):
self._make_api_call(self.staff_user, self.honor_user, self.hidden_course.id)
self._make_api_call(self.staff_user, self.honor_user.username, self.hidden_course.id)
def test_permission_denied(self):
with self.assertRaises(PermissionDenied):
self._make_api_call(self.staff_user, None, self.hidden_course.id)
class CourseListTestMixin(CourseApiTestMixin):
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment