Commit 2a7b4167 by Marko Jevtic

[LEARNER-1104] Allow staff members to view enrollment for any user

parent 2d6b477e
...@@ -385,7 +385,7 @@ class EnrollmentTest(EnrollmentTestMixin, ModuleStoreTestCase, APITestCase, Ente ...@@ -385,7 +385,7 @@ class EnrollmentTest(EnrollmentTestMixin, ModuleStoreTestCase, APITestCase, Ente
def test_user_does_not_match_param(self): def test_user_does_not_match_param(self):
""" """
The view should return status 404 if the enrollment username does not match the username of the user The view should return status 404 if the enrollment username does not match the username of the user
making the request, unless the request is made by a superuser or with a server API key. making the request, unless the request is made by a staff user or with a server API key.
""" """
CourseModeFactory.create( CourseModeFactory.create(
course_id=self.course.id, course_id=self.course.id,
...@@ -403,9 +403,9 @@ class EnrollmentTest(EnrollmentTestMixin, ModuleStoreTestCase, APITestCase, Ente ...@@ -403,9 +403,9 @@ class EnrollmentTest(EnrollmentTestMixin, ModuleStoreTestCase, APITestCase, Ente
response = self.client.get(url, **{'HTTP_X_EDX_API_KEY': self.API_KEY}) response = self.client.get(url, **{'HTTP_X_EDX_API_KEY': self.API_KEY})
self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
# Verify superusers have access to this endpoint # Verify staff have access to this endpoint
superuser = UserFactory.create(password=self.PASSWORD, is_superuser=True) staff_user = UserFactory.create(password=self.PASSWORD, is_staff=True)
self.client.login(username=superuser.username, password=self.PASSWORD) self.client.login(username=staff_user.username, password=self.PASSWORD)
response = self.client.get(url) response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
......
...@@ -167,7 +167,7 @@ class EnrollmentView(APIView, ApiKeyPermissionMixIn): ...@@ -167,7 +167,7 @@ class EnrollmentView(APIView, ApiKeyPermissionMixIn):
# TODO Implement proper permissions # TODO Implement proper permissions
if request.user.username != username and not self.has_api_key_permissions(request) \ if request.user.username != username and not self.has_api_key_permissions(request) \
and not request.user.is_superuser: and not request.user.is_staff:
# Return a 404 instead of a 403 (Unauthorized). If one user is looking up # Return a 404 instead of a 403 (Unauthorized). If one user is looking up
# other users, do not let them deduce the existence of an enrollment. # other users, do not let them deduce the existence of an enrollment.
return Response(status=status.HTTP_404_NOT_FOUND) return Response(status=status.HTTP_404_NOT_FOUND)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment