From 78b952c24ac33c468d6f347421f8d0095b72921f Mon Sep 17 00:00:00 2001 From: 0x29a Date: Sun, 15 Oct 2023 21:36:23 +0200 Subject: [PATCH] fix: limited staff cohorts and gradebook access Limited Staff should not have studio read access by design. However, since many LMS views depend on the `has_course_author_access` check and `course_author_access_required` decorator, we have to allow write access until the permissions become more granular. For example, there should be STUDIO_VIEW_COHORTS and STUDIO_EDIT_COHORTS specifically for the cohorts endpoint, which is used to display "Cohorts" instructor dashboard tab. (cherry picked from commit febcccc14767378492a7a897b66023dafafda619) --- common/djangoapps/student/auth.py | 11 +++++++++-- common/djangoapps/student/tests/test_authz.py | 6 +++--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/common/djangoapps/student/auth.py b/common/djangoapps/student/auth.py index 66bd6806a6ef..91b763b5d818 100644 --- a/common/djangoapps/student/auth.py +++ b/common/djangoapps/student/auth.py @@ -93,9 +93,16 @@ def get_user_permissions(user, course_key, org=None): return all_perms if course_key and user_has_role(user, CourseInstructorRole(course_key)): return all_perms - # Limited Course Staff does not have access to Studio. + # HACK: Limited Staff should not have studio read access. However, since many LMS views depend on the + # `has_course_author_access` check and `course_author_access_required` decorator, we have to allow write access + # until the permissions become more granular. For example, there could be STUDIO_VIEW_COHORTS and + # STUDIO_EDIT_COHORTS specifically for the cohorts endpoint, which is used to display the "Cohorts" tab of the + # Instructor Dashboard. + # The permissions matrix from the RBAC project (https://github.com/openedx/platform-roadmap/issues/246) shows that + # the LMS and Studio permissions will be separated as a part of this project. Once this is done (and this code is + # not removed during its implementation), we can replace the Limited Staff permissions with more granular ones. if course_key and user_has_role(user, CourseLimitedStaffRole(course_key)): - return STUDIO_NO_PERMISSIONS + return STUDIO_EDIT_CONTENT # Staff have all permissions except EDIT_ROLES: if OrgStaffRole(org=org).has_user(user) or (course_key and user_has_role(user, CourseStaffRole(course_key))): return STUDIO_VIEW_USERS | STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT diff --git a/common/djangoapps/student/tests/test_authz.py b/common/djangoapps/student/tests/test_authz.py index a7a3694d3489..1c79780e88c1 100644 --- a/common/djangoapps/student/tests/test_authz.py +++ b/common/djangoapps/student/tests/test_authz.py @@ -285,14 +285,14 @@ def test_remove_user_from_course_group_permission_denied(self): with pytest.raises(PermissionDenied): remove_users(self.staff, CourseStaffRole(self.course_key), another_staff) - def test_no_limited_staff_read_or_write_access(self): + def test_limited_staff_no_studio_read_access(self): """ - Test that course limited staff have no read or write access. + Verifies that course limited staff have no read, but have write access. """ add_users(self.global_admin, CourseLimitedStaffRole(self.course_key), self.limited_staff) assert not has_studio_read_access(self.limited_staff, self.course_key) - assert not has_studio_write_access(self.limited_staff, self.course_key) + assert has_studio_write_access(self.limited_staff, self.course_key) class CourseOrgGroupTest(TestCase):