[LEARNER-1104] Allow staff members to view enrollment for any user

2a7b4167 · Marko Jevtic · 2d6b477e · 2a7b4167 · 2a7b4167
Commit 2a7b4167 authored Jul 19, 2017 by Marko Jevtic
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 5 deletions

common/djangoapps/enrollment/tests/test_views.py
+4 -4

common/djangoapps/enrollment/views.py
+1 -1

No files found.
--- a/common/djangoapps/enrollment/tests/test_views.py
+++ b/common/djangoapps/enrollment/tests/test_views.py
@@ -385,7 +385,7 @@ class EnrollmentTest(EnrollmentTestMixin, ModuleStoreTestCase, APITestCase, Ente
    def test_user_does_not_match_param(self):
        """
        The view should return status 404 if the enrollment username does not match the username of the user
-        making the request, unless the request is made by a superuser or with a server API key.
+        making the request, unless the request is made by a staff user or with a server API key.
        """
        CourseModeFactory.create(
            course_id=self.course.id,
@@ -403,9 +403,9 @@ class EnrollmentTest(EnrollmentTestMixin, ModuleStoreTestCase, APITestCase, Ente
        response = self.client.get(url, **{'HTTP_X_EDX_API_KEY': self.API_KEY})
        self.assertEqual(response.status_code, status.HTTP_200_OK)

-        # Verify superusers have access to this endpoint
-        superuser = UserFactory.create(password=self.PASSWORD, is_superuser=True)
-        self.client.login(username=superuser.username, password=self.PASSWORD)
+        # Verify staff have access to this endpoint
+        staff_user = UserFactory.create(password=self.PASSWORD, is_staff=True)
+        self.client.login(username=staff_user.username, password=self.PASSWORD)
        response = self.client.get(url)
        self.assertEqual(response.status_code, status.HTTP_200_OK)


--- a/common/djangoapps/enrollment/views.py
+++ b/common/djangoapps/enrollment/views.py
@@ -167,7 +167,7 @@ class EnrollmentView(APIView, ApiKeyPermissionMixIn):

        # TODO Implement proper permissions
        if request.user.username != username and not self.has_api_key_permissions(request) \
-                and not request.user.is_superuser:
+                and not request.user.is_staff:
            # Return a 404 instead of a 403 (Unauthorized). If one user is looking up
            # other users, do not let them deduce the existence of an enrollment.
            return Response(status=status.HTTP_404_NOT_FOUND)