feat: Add permission checks to role checks - program_enrollments and …

…agreements (#34001) * feat: add perm check to role check for program_enrollments and agreements
openedx · Jan 22, 2024 · 974d5bc · 974d5bc
1 parent 4a4ed72
commit 974d5bc
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/lms/djangoapps/program_enrollments/rest_api/v1/serializers.py b/lms/djangoapps/program_enrollments/rest_api/v1/serializers.py
@@ -7,7 +7,7 @@
 
 from lms.djangoapps.program_enrollments.api import is_course_staff_enrollment
 from lms.djangoapps.program_enrollments.models import ProgramCourseEnrollment, ProgramEnrollment
-
+from openedx.core.djangoapps.course_roles.data import CourseRolesPermission
 from .constants import CourseRunProgressStatuses
 
 # pylint: disable=abstract-method
@@ -104,7 +104,11 @@ def get_curriculum_uuid(self, obj):
         return str(obj.program_enrollment.curriculum_uuid)
 
     def get_course_staff(self, obj):
-        return is_course_staff_enrollment(obj)
+        # TODO: remove is_course_staff_enrollment check once course_roles is fully impelented and data is migrated
+        return (
+            is_course_staff_enrollment(obj) or
+            obj.program_enrollment.user.has_perm(CourseRolesPermission.MANAGE_STUDENTS.perm_name, obj.course_key)
+        )
 
 
 class ProgramCourseEnrollmentRequestSerializer(serializers.Serializer, InvalidStatusMixin):

diff --git a/openedx/core/djangoapps/agreements/views.py b/openedx/core/djangoapps/agreements/views.py
@@ -19,6 +19,7 @@
     get_integrity_signature,
 )
 from openedx.core.djangoapps.agreements.serializers import IntegritySignatureSerializer, LTIPIISignatureSerializer
+from openedx.core.djangoapps.course_roles.data import CourseRolesPermission
 
 
 def is_user_course_or_global_staff(user, course_id):
@@ -27,7 +28,13 @@ def is_user_course_or_global_staff(user, course_id):
     or is global staff.
     """
 
-    return user.is_staff or auth.user_has_role(user, CourseStaffRole(CourseKey.from_string(course_id)))
+    # TODO: remove user_has_role check once course_roles is fully impelented and data is migrated
+    course_key = CourseKey.from_string(course_id)
+    return (
+        user.is_staff or
+        auth.user_has_role(user, CourseStaffRole(course_key)) or
+        user.has_perm(CourseRolesPermission.MANAGE_STUDENTS.perm_name, course_key)
+    )
 
 
 class AuthenticatedAPIView(APIView):