feat: Add permission checks to role checks - lib/api/permissions (#34008

) * feat: api/permissions roles checks to permission checks
openedx · Jan 22, 2024 · 4f64dfe · 4f64dfe
1 parent 974d5bc
commit 4f64dfe
Showing 1 changed file with 31 additions and 11 deletions.
diff --git a/openedx/core/lib/api/permissions.py b/openedx/core/lib/api/permissions.py
@@ -11,6 +11,7 @@
 from rest_framework import permissions
 
 from edx_rest_framework_extensions.permissions import IsStaff, IsUserInUrl
+from openedx.core.djangoapps.course_roles.data import CourseRolesPermission
 from openedx.core.lib.log_utils import audit_log
 from common.djangoapps.student.roles import CourseInstructorRole, CourseStaffRole
 
@@ -63,14 +64,28 @@ class IsCourseStaffInstructor(permissions.BasePermission):
     """
 
     def has_object_permission(self, request, view, obj):
-        return (hasattr(request, 'user') and
-                # either the user is a staff or instructor of the master course
-                (hasattr(obj, 'course_id') and
-                 (CourseInstructorRole(obj.course_id).has_user(request.user) or
-                  CourseStaffRole(obj.course_id).has_user(request.user))) or
-                # or it is a safe method and the user is a coach on the course object
-                (request.method in permissions.SAFE_METHODS
-                 and hasattr(obj, 'coach') and obj.coach == request.user))
+        return (
+            hasattr(request, 'user') and
+            # either the user is a staff or instructor of the master course
+            # TODO: remove roles checks once course_roles is fully impelented and data is migrated
+            (
+                hasattr(obj, 'course_id') and
+                (
+                    CourseInstructorRole(obj.course_id).has_user(request.user) or
+                    CourseStaffRole(obj.course_id).has_user(request.user) or
+                    (
+                        request.user.has_perm(CourseRolesPermission.MANAGE_COURSE_SETTINGS.perm_name, obj.course_id) and
+                        request.user.has_perm(CourseRolesPermission.MANAGE_STUDENTS.perm_name, obj.course_id)
+                    )
+                )
+            ) or
+            # or it is a safe method and the user is a coach on the course object
+            (
+                request.method in permissions.SAFE_METHODS and
+                hasattr(obj, 'coach') and
+                obj.coach == request.user
+            )
+        )
 
 
 class IsMasterCourseStaffInstructor(permissions.BasePermission):
@@ -94,9 +109,12 @@ def has_permission(self, request, view):
                 course_key = CourseKey.from_string(master_course_id)
             except InvalidKeyError:
                 raise Http404()  # lint-amnesty, pylint: disable=raise-missing-from
-            return (hasattr(request, 'user') and
-                    (CourseInstructorRole(course_key).has_user(request.user) or
-                     CourseStaffRole(course_key).has_user(request.user)))
+            # TODO: remove roles checks once course_roles is fully impelented and data is migrated
+            return (hasattr(request, 'user') and (
+                    CourseInstructorRole(course_key).has_user(request.user) or
+                    CourseStaffRole(course_key).has_user(request.user) or
+                    request.user.has_perm(CourseRolesPermission.MANAGE_COURSE_SETTINGS.perm_name, course_key)
+                    ))
         return False
 
 
@@ -111,8 +129,10 @@ class IsStaffOrReadOnly(permissions.BasePermission):
     """
 
     def has_object_permission(self, request, view, obj):
+        # TODO: remove CourseStaffRole check once course_roles is fully impelented and data is migrated
         return (request.user.is_staff or
                 CourseStaffRole(obj.course_id).has_user(request.user) or
+                request.user.has_perm(CourseRolesPermission.MANAGE_STUDENTS.perm_name, obj.course_id) or
                 request.method in permissions.SAFE_METHODS)