Skip to content

Commit

Permalink
fix: limited staff cohorts and gradebook access
Browse files Browse the repository at this point in the history
Limited Staff should not have studio read access by design.

However, since many LMS views depend on the `has_course_author_access` check and `course_author_access_required`
decorator, we have to allow write access until the permissions become more granular. For example, there should
be STUDIO_VIEW_COHORTS and STUDIO_EDIT_COHORTS specifically for the cohorts endpoint, which is used to display
"Cohorts" instructor dashboard tab.

(cherry picked from commit febcccc)
  • Loading branch information
0x29a authored and Agrendalath committed Oct 18, 2023
1 parent a00894b commit 4e6820f
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 5 deletions.
11 changes: 9 additions & 2 deletions common/djangoapps/student/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -93,9 +93,16 @@ def get_user_permissions(user, course_key, org=None):
return all_perms
if course_key and user_has_role(user, CourseInstructorRole(course_key)):
return all_perms
# Limited Course Staff does not have access to Studio.
# HACK: Limited Staff should not have studio read access. However, since many LMS views depend on the
# `has_course_author_access` check and `course_author_access_required` decorator, we have to allow write access
# until the permissions become more granular. For example, there could be STUDIO_VIEW_COHORTS and
# STUDIO_EDIT_COHORTS specifically for the cohorts endpoint, which is used to display the "Cohorts" tab of the
# Instructor Dashboard.
# The permissions matrix from the RBAC project (https://github.com/openedx/platform-roadmap/issues/246) shows that
# the LMS and Studio permissions will be separated as a part of this project. Once this is done (and this code is
# not removed during its implementation), we can replace the Limited Staff permissions with more granular ones.
if course_key and user_has_role(user, CourseLimitedStaffRole(course_key)):
return STUDIO_NO_PERMISSIONS
return STUDIO_EDIT_CONTENT
# Staff have all permissions except EDIT_ROLES:
if OrgStaffRole(org=org).has_user(user) or (course_key and user_has_role(user, CourseStaffRole(course_key))):
return STUDIO_VIEW_USERS | STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT
Expand Down
6 changes: 3 additions & 3 deletions common/djangoapps/student/tests/test_authz.py
Original file line number Diff line number Diff line change
Expand Up @@ -285,14 +285,14 @@ def test_remove_user_from_course_group_permission_denied(self):
with pytest.raises(PermissionDenied):
remove_users(self.staff, CourseStaffRole(self.course_key), another_staff)

def test_no_limited_staff_read_or_write_access(self):
def test_limited_staff_no_studio_read_access(self):
"""
Test that course limited staff have no read or write access.
Verifies that course limited staff have no read, but have write access.
"""
add_users(self.global_admin, CourseLimitedStaffRole(self.course_key), self.limited_staff)

assert not has_studio_read_access(self.limited_staff, self.course_key)
assert not has_studio_write_access(self.limited_staff, self.course_key)
assert has_studio_write_access(self.limited_staff, self.course_key)


class CourseOrgGroupTest(TestCase):
Expand Down

0 comments on commit 4e6820f

Please sign in to comment.