Merge PR #24012 add/masquerade

* Commits: Add is_staff check to masquerade POST Convert masquerade view to class-based

Merge PR #24012 add/masquerade
* Commits: Add is_staff check to masquerade POST Convert masquerade view to class-based
4125ae0e · stvn · 9c721d78 · 69417396 · 4125ae0e · 4125ae0e
Commit 4125ae0e authored 4 years ago by stvn
--- a/lms/djangoapps/courseware/masquerade.py
+++ b/lms/djangoapps/courseware/masquerade.py
@@ -12,8 +12,9 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.models import User
 from django.db.models import Q
+from django.utils.decorators import method_decorator
 from django.utils.translation import ugettext as _
-from django.views.decorators.http import require_POST
+from django.views import View
 from opaque_keys.edx.keys import CourseKey
 from pytz import utc
 from web_fragments.fragment import Fragment
@@ -62,44 +63,55 @@ class CourseMasquerade(object):
        self.__init__(**state)


-@require_POST
-@login_required
-@expect_json
-def handle_ajax(request, course_key_string):
+@method_decorator(login_required, name='dispatch')
+class MasqueradeView(View):
    """
-    Handle AJAX posts to update the current user's masquerade for the specified course.
-    The masquerade settings are stored in the Django session as a dict from course keys
-    to CourseMasquerade objects.
+    Create an HTTP endpoint to manage masquerade settings
    """
-    course_key = CourseKey.from_string(course_key_string)
-    masquerade_settings = request.session.get(MASQUERADE_SETTINGS_KEY, {})
-    request_json = request.json
-    role = request_json.get('role', 'student')
-    group_id = request_json.get('group_id', None)
-    user_partition_id = request_json.get('user_partition_id', None) if group_id is not None else None
-    user_name = request_json.get('user_name', None)
-    found_user_name = None
-    if user_name:
-        users_in_course = CourseEnrollment.objects.users_enrolled_in(course_key)
-        try:
-            found_user_name = users_in_course.get(Q(email=user_name) | Q(username=user_name)).username
-        except User.DoesNotExist:
+
+    @method_decorator(expect_json)
+    def post(self, request, course_key_string):
+        """
+        Handle AJAX posts to update the current user's masquerade for the specified course.
+        The masquerade settings are stored in the Django session as a dict from course keys
+        to CourseMasquerade objects.
+        """
+        course_key = CourseKey.from_string(course_key_string)
+        is_staff = has_staff_roles(request.user, course_key)
+        if not is_staff:
            return JsonResponse({
                'success': False,
-                'error': _(
-                    u'There is no user with the username or email address u"{user_identifier}" '
-                    'enrolled in this course.'
-                ).format(user_identifier=user_name)
            })
-    masquerade_settings[course_key] = CourseMasquerade(
-        course_key,
-        role=role,
-        user_partition_id=user_partition_id,
-        group_id=group_id,
-        user_name=found_user_name,
-    )
-    request.session[MASQUERADE_SETTINGS_KEY] = masquerade_settings
-    return JsonResponse({'success': True})
+        masquerade_settings = request.session.get(MASQUERADE_SETTINGS_KEY, {})
+        request_json = request.json
+        role = request_json.get('role', 'student')
+        group_id = request_json.get('group_id', None)
+        user_partition_id = request_json.get('user_partition_id', None) if group_id is not None else None
+        user_name = request_json.get('user_name', None)
+        found_user_name = None
+        if user_name:
+            users_in_course = CourseEnrollment.objects.users_enrolled_in(course_key)
+            try:
+                found_user_name = users_in_course.get(Q(email=user_name) | Q(username=user_name)).username
+            except User.DoesNotExist:
+                return JsonResponse({
+                    'success': False,
+                    'error': _(
+                        u'There is no user with the username or email address u"{user_identifier}" '
+                        'enrolled in this course.'
+                    ).format(
+                        user_identifier=user_name,
+                    ),
+                })
+        masquerade_settings[course_key] = CourseMasquerade(
+            course_key,
+            role=role,
+            user_partition_id=user_partition_id,
+            group_id=group_id,
+            user_name=found_user_name,
+        )
+        request.session[MASQUERADE_SETTINGS_KEY] = masquerade_settings
+        return JsonResponse({'success': True})


 def setup_masquerade(request, course_key, staff_access=False, reset_masquerade_data=False):

--- a/lms/djangoapps/courseware/tests/helpers.py
+++ b/lms/djangoapps/courseware/tests/helpers.py
@@ -22,7 +22,8 @@ from xblock.field_data import DictFieldData
 from edxmako.shortcuts import render_to_string
 from lms.djangoapps.courseware.access import has_access
 from lms.djangoapps.courseware.utils import verified_upgrade_deadline_link
-from lms.djangoapps.courseware.masquerade import handle_ajax, setup_masquerade
+from lms.djangoapps.courseware.masquerade import MasqueradeView
+from lms.djangoapps.courseware.masquerade import setup_masquerade
 from lms.djangoapps.lms_xblock.field_data import LmsFieldData
 from openedx.core.djangoapps.content.course_overviews.models import CourseOverview
 from openedx.core.lib.url_utils import quote_slashes
@@ -348,7 +349,7 @@ def masquerade_as_group_member(user, course, partition_id, group_id):
        user,
        data={"role": "student", "user_partition_id": partition_id, "group_id": group_id}
    )
-    response = handle_ajax(request, six.text_type(course.id))
+    response = MasqueradeView.as_view()(request, six.text_type(course.id))
    setup_masquerade(request, course.id, True)
    return response.status_code


--- a/lms/urls.py
+++ b/lms/urls.py
@@ -15,7 +15,7 @@ from ratelimitbackend import admin
 from branding import views as branding_views
 from debug import views as debug_views
 from lms.djangoapps.certificates import views as certificates_views
-from lms.djangoapps.courseware.masquerade import handle_ajax as courseware_masquerade_handle_ajax
+from lms.djangoapps.courseware.masquerade import MasqueradeView
 from lms.djangoapps.courseware.module_render import (
    handle_xblock_callback,
    handle_xblock_callback_noauth,
@@ -721,7 +721,7 @@ if settings.FEATURES.get('ENABLE_MASQUERADE'):
            r'^courses/{}/masquerade$'.format(
                settings.COURSE_KEY_PATTERN,
            ),
-            courseware_masquerade_handle_ajax,
+            MasqueradeView.as_view(),
            name='masquerade_update',
        ),
    ]