mattdrayer/api-users-courses-roles: Added support for setting user roles

4f164247 · Matt Drayer · Jonathan Piacenti · e5a025df · 4f164247 · 4f164247
Commit 4f164247 authored 10 years ago by Matt Drayer Committed by Jonathan Piacenti 9 years ago
7 changed files
--- a/lms/djangoapps/api_manager/courses/tests.py
+++ b/lms/djangoapps/api_manager/courses/tests.py
@@ -17,6 +17,8 @@ from django.test.utils import override_settings
 from capa.tests.response_xml_factory import StringResponseXMLFactory
 from courseware.tests.factories import StudentModuleFactory
 from courseware.tests.modulestore_config import TEST_DATA_MIXED_MODULESTORE
+from django_comment_common.models import Role, FORUM_ROLE_MODERATOR
+from instructor.access import allow_access
 from student.tests.factories import UserFactory, CourseEnrollmentFactory
 from xmodule.modulestore.tests.factories import CourseFactory, ItemFactory
@@ -189,6 +191,10 @@ class CoursesApiTests(TestCase):
        self.client = SecureClient()
        cache.clear()
+        Role.objects.get_or_create(
+            name=FORUM_ROLE_MODERATOR,
+            course_id=self.course.id)
    def do_get(self, uri):
        """Submit an HTTP GET request"""
        headers = {
@@ -1778,3 +1784,90 @@ class CoursesApiTests(TestCase):
        self.assertEqual(len(response.data['results']), 1)
        self.assertEqual(response.data['results'][0]['city'], 'Denver')
        self.assertEqual(response.data['results'][0]['count'], 5)
+    def test_courses_roles_list_get(self):
+        allow_access(self.course, self.users[0], 'staff')
+        allow_access(self.course, self.users[1], 'instructor')
+        allow_access(self.course, self.users[2], 'staff')
+        test_uri = '/api/courses/{}/roles/'.format(unicode(self.course.id))
+        response = self.do_get(test_uri)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data), 3)
+        # filter roleset by user
+        user_id = {'user_id': '{}'.format(self.users[0].id)}
+        test_uri = '{}?{}'.format(test_uri, urlencode(user_id))
+        response = self.do_get(test_uri)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data), 1)
+    def test_courses_roles_list_get_invalid_course(self):
+        test_uri = '/api/courses/{}/roles/'.format(self.test_bogus_course_id)
+        response = self.do_get(test_uri)
+        self.assertEqual(response.status_code, 404)
+    def test_courses_roles_list_post(self):
+        test_uri = '/api/courses/{}/roles/'.format(unicode(self.course.id))
+        response = self.do_get(test_uri)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data), 0)
+        data = {'user_id': self.users[0].id, 'role': 'instructor'}
+        response = self.do_post(test_uri, data)
+        self.assertEqual(response.status_code, 201)
+        response = self.do_get(test_uri)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data), 1)
+    def test_courses_roles_list_post_invalid_course(self):
+        test_uri = '/api/courses/{}/roles/'.format(self.test_bogus_course_id)
+        data = {'user_id': self.users[0].id, 'role': 'instructor'}
+        response = self.do_post(test_uri, data)
+        self.assertEqual(response.status_code, 404)
+    def test_courses_roles_list_post_invalid_user(self):
+        test_uri = '/api/courses/{}/roles/'.format(unicode(self.course.id))
+        data = {'user_id': 23423, 'role': 'instructor'}
+        response = self.do_post(test_uri, data)
+        self.assertEqual(response.status_code, 404)
+    def test_courses_roles_list_post_invalid_role(self):
+        test_uri = '/api/courses/{}/roles/'.format(unicode(self.course.id))
+        data = {'user_id': self.users[0].id, 'role': 'invalid_role'}
+        response = self.do_post(test_uri, data)
+        self.assertEqual(response.status_code, 400)
+    def test_courses_roles_users_detail_delete(self):
+        test_uri = '/api/courses/{}/roles/'.format(unicode(self.course.id))
+        data = {'user_id': self.users[0].id, 'role': 'instructor'}
+        response = self.do_post(test_uri, data)
+        self.assertEqual(response.status_code, 201)
+        response = self.do_get(test_uri)
+        self.assertEqual(len(response.data), 1)
+        delete_uri = '{}instructor/users/{}'.format(test_uri, self.users[0].id)
+        response = self.do_delete(delete_uri)
+        self.assertEqual(response.status_code, 204)
+        response = self.do_get(test_uri)
+        self.assertEqual(len(response.data), 0)
+    def test_courses_roles_users_detail_delete_invalid_course(self):
+        test_uri = '/api/courses/{}/roles/'.format(self.test_bogus_course_id)
+        delete_uri = '{}instructor/users/{}'.format(test_uri, self.users[0].id)
+        response = self.do_delete(delete_uri)
+        self.assertEqual(response.status_code, 404)
+    def test_courses_roles_users_detail_delete_invalid_user(self):
+        test_uri = '/api/courses/{}/roles/'.format(unicode(self.course.id))
+        delete_uri = '{}instructor/users/291231'.format(test_uri)
+        response = self.do_delete(delete_uri)
+        self.assertEqual(response.status_code, 404)
+    def test_courses_roles_users_detail_delete_invalid_role(self):
+        test_uri = '/api/courses/{}/roles/'.format(unicode(self.course.id))
+        delete_uri = '{}invalid_role/users/{}'.format(test_uri, self.users[0].id)
+        print delete_uri
+        response = self.do_delete(delete_uri)
+        self.assertEqual(response.status_code, 404)
--- a/lms/djangoapps/api_manager/courses/urls.py
+++ b/lms/djangoapps/api_manager/courses/urls.py
@@ -20,19 +20,21 @@ urlpatterns = patterns(
    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/groups/(?P<group_id>[0-9]+)$', courses_views.CoursesGroupsDetail.as_view()),
    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/groups/*$', courses_views.CoursesGroupsList.as_view()),
    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/overview/*$', courses_views.CoursesOverview.as_view()),
-    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/updates/*$', courses_views.CoursesUpdates.as_view()),
    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/static_tabs/(?P<tab_id>[a-zA-Z0-9_+\/:]+)$', courses_views.CoursesStaticTabsDetail.as_view()),
    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/static_tabs/*$', courses_views.CoursesStaticTabsList.as_view()),
-    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/users/(?P<user_id>[0-9]+)$', courses_views.CoursesUsersDetail.as_view()),
-    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/users/*$', courses_views.CoursesUsersList.as_view()),
    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/completions/*$', courses_views.CourseModuleCompletionList.as_view(), name='completion-list'),
    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/projects/*$', courses_views.CoursesProjectList.as_view(), name='courseproject-list'),
    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/metrics/*$', courses_views.CourseMetrics.as_view(), name='course-metrics'),
-    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/metrics/proficiency/leaders/*$', courses_views.CoursesLeadersList.as_view(), name='course-metrics-proficiency-leaders'),
+    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/metrics/cities/$', courses_views.CoursesCitiesMetrics.as_view(), name='courses-cities-metrics'),
    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/metrics/completions/leaders/*$', courses_views.CoursesCompletionsLeadersList.as_view(), name='course-metrics-completions-leaders'),
-    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/workgroups/*$', courses_views.CoursesWorkgroupsList.as_view()),
+    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/metrics/proficiency/leaders/*$', courses_views.CoursesLeadersList.as_view(), name='course-metrics-proficiency-leaders'),
    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/metrics/social/$', courses_views.CoursesSocialMetrics.as_view(), name='courses-social-metrics'),
-    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/metrics/cities/$', courses_views.CoursesCitiesMetrics.as_view(), name='courses-cities-metrics'),
+    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/roles/(?P<role>[a-z_]+)/users/(?P<user_id>[0-9]+)*$', courses_views.CoursesRolesUsersDetail.as_view(), name='courses-roles-users-detail'),
+    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/roles/*$', courses_views.CoursesRolesList.as_view(), name='courses-roles-list'),
+    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/updates/*$', courses_views.CoursesUpdates.as_view()),
+    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/users/(?P<user_id>[0-9]+)$', courses_views.CoursesUsersDetail.as_view()),
+    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/users/*$', courses_views.CoursesUsersList.as_view()),
+    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)/workgroups/*$', courses_views.CoursesWorkgroupsList.as_view()),
    url(r'^(?P<course_id>[a-zA-Z0-9_+\/:]+)$', courses_views.CoursesDetail.as_view()),
    url(r'/*$^', courses_views.CoursesList.as_view()),
 )

--- a/lms/djangoapps/api_manager/courses/views.py
+++ b/lms/djangoapps/api_manager/courses/views.py
@@ -6,6 +6,7 @@ import itertools
 from lxml import etree
 from StringIO import StringIO
 from django.conf import settings
 from django.contrib.auth.models import Group, User
 from django.core.exceptions import ObjectDoesNotExist
@@ -20,7 +21,11 @@ from rest_framework.response import Response
 from courseware.courses import get_course_about_section, get_course_info_section
 from courseware.models import StudentModule
 from courseware.views import get_static_tab_contents
+from django_comment_common.models import FORUM_ROLE_MODERATOR
+from instructor.access import allow_access, revoke_access, update_forum_role
 from student.models import CourseEnrollment, CourseEnrollmentAllowed
+from student.roles import CourseInstructorRole, CourseStaffRole
 from xmodule.modulestore.django import modulestore
 from api_manager.courseware_access import get_course, get_course_child
@@ -31,7 +36,6 @@ from api_manager.users.serializers import UserSerializer, UserCountByCitySeriali
 from api_manager.utils import generate_base_uri
 from projects.models import Project, Workgroup
 from projects.serializers import ProjectSerializer, BasicWorkgroupSerializer
 from .serializers import CourseModuleCompletionSerializer
 from .serializers import GradeSerializer, CourseLeadersSerializer, CourseCompletionsLeadersSerializer
@@ -975,7 +979,7 @@ class CoursesUsersList(SecureAPIView):
    def get(self, request, course_id):
        """
-        GET /api/courses/{course_id}
+        GET /api/courses/{course_id}/users
        """
        orgs = request.QUERY_PARAMS.get('organizations')
        groups = request.QUERY_PARAMS.get('groups', None)
@@ -1644,3 +1648,96 @@ class CoursesCitiesMetrics(SecureListAPIView):
        queryset = queryset.values('profile__city').annotate(count=Count('profile__city'))\
            .filter(count__gt=0).order_by('-count')
        return queryset
+class CoursesRolesList(SecureAPIView):
+    """
+    ### The CoursesRolesList view allows clients to interact with the Course's roleset
+    - URI: ```/api/courses/{course_id}/roles```
+    - GET: Returns a JSON representation of the specified Course roleset
+    ### Use Cases/Notes:
+    * Use the CoursesRolesList view to manage a User's TA status
+    * Use GET to retrieve the set of roles configured for a particular course
+    """
+    def get(self, request, course_id):  # pylint: disable=W0613
+        """
+        GET /api/courses/{course_id}/roles/
+        """
+        course_id = self.kwargs['course_id']
+        course_descriptor, course_key, course_content = get_course(self.request, self.request.user, course_id, depth=None)  # pylint: disable=W0612
+        if not course_descriptor:
+            raise Http404
+        response_data = []
+        instructors = CourseInstructorRole(course_key).users_with_role()
+        for instructor in instructors:
+            response_data.append({'id': instructor.id, 'role': 'instructor'})
+        staff = CourseStaffRole(course_key).users_with_role()
+        for admin in staff:
+            response_data.append({'id': admin.id, 'role': 'staff'})
+        user_id = self.request.QUERY_PARAMS.get('user_id', None)
+        if user_id:
+            response_data = list([item for item in response_data if int(item['id']) == int(user_id)])
+        return Response(response_data, status=status.HTTP_200_OK)
+    def post(self, request, course_id):
+        """
+        POST /api/courses/{course_id}/roles/
+        """
+        course_id = self.kwargs['course_id']
+        course_descriptor, course_key, course_content = get_course(self.request, self.request.user, course_id, depth=None)  # pylint: disable=W0612
+        if not course_descriptor:
+            raise Http404
+        user_id = request.DATA.get('user_id', None)
+        try:
+            user = User.objects.get(id=user_id)
+        except ObjectDoesNotExist:
+            raise Http404
+        role = request.DATA.get('role', None)
+        try:
+            allow_access(course_descriptor, user, role)
+            update_forum_role(course_key, user, FORUM_ROLE_MODERATOR, 'allow')
+        except ValueError:
+            return Response({}, status=status.HTTP_400_BAD_REQUEST)
+        return Response(request.DATA, status=status.HTTP_201_CREATED)
+class CoursesRolesUsersDetail(SecureAPIView):
+    """
+    ### The CoursesUsersRolesDetail view allows clients to interact with a specific Course Role
+    - URI: ```/api/courses/{course_id}/roles/{role}/users/{user_id}```
+    - DELETE: Removes an existing Course Role specification
+    ### Use Cases/Notes:
+    * Use the DELETE operation to revoke a particular role for the specified user
+    """
+    def delete(self, request, course_id, role, user_id):  # pylint: disable=W0613
+        """
+        DELETE /api/courses/{course_id}/roles/{role}/users/{user_id}
+        """
+        course_id = self.kwargs['course_id']
+        course_descriptor, course_key, course_content = get_course(self.request, self.request.user, course_id, depth=None)  # pylint: disable=W0612
+        if not course_descriptor:
+            return Response({}, status=status.HTTP_404_NOT_FOUND)
+        user_id = self.kwargs['user_id']
+        try:
+            user = User.objects.get(id=user_id)
+        except ObjectDoesNotExist:
+            return Response({}, status=status.HTTP_404_NOT_FOUND)
+        role = self.kwargs['role']
+        try:
+            revoke_access(course_descriptor, user, role)
+            update_forum_role(course_key, user, FORUM_ROLE_MODERATOR, 'revoke')
+        except ValueError:
+            return Response({}, status=status.HTTP_404_NOT_FOUND)
+        return Response({}, status=status.HTTP_204_NO_CONTENT)
--- a/lms/djangoapps/api_manager/users/serializers.py
+++ b/lms/djangoapps/api_manager/users/serializers.py
@@ -21,3 +21,9 @@ class UserCountByCitySerializer(serializers.Serializer):
    """ Serializer for user count by city """
    city = serializers.CharField(source='profile__city')
    count = serializers.IntegerField()
+class UserRolesSerializer(serializers.Serializer):
+    """ Serializer for user roles """
+    course_id = serializers.CharField(source='course_id')
+    role = serializers.CharField(source='role')
--- a/lms/djangoapps/api_manager/users/tests.py
+++ b/lms/djangoapps/api_manager/users/tests.py
@@ -19,6 +19,8 @@ from django.test.utils import override_settings
 from capa.tests.response_xml_factory import StringResponseXMLFactory
 from courseware.tests.factories import StudentModuleFactory
+from django_comment_common.models import Role, FORUM_ROLE_MODERATOR
+from instructor.access import allow_access
 from projects.models import Project
 from student.tests.factories import UserFactory
 from student.models import anonymous_id_for_user
@@ -93,6 +95,10 @@ class UsersApiTests(ModuleStoreTestCase):
        self.client = SecureClient()
        cache.clear()
+        Role.objects.get_or_create(
+            name=FORUM_ROLE_MODERATOR,
+            course_id=self.course.id)
    def do_post(self, uri, data):
        """Submit an HTTP POST request"""
        headers = {
@@ -1346,3 +1352,106 @@ class UsersApiTests(ModuleStoreTestCase):
        test_uri = '/api/users/{}/courses/{}/metrics/social/'.format(12345, self.course.id)
        response = self.do_get(test_uri)
        self.assertEqual(response.status_code, 404)
+    def test_users_roles_list_get(self):
+        allow_access(self.course, self.user, 'staff')
+        course2 = CourseFactory.create(
+            display_name="TEST COURSE2",
+            start=datetime(2014, 6, 16, 14, 30),
+            end=datetime(2015, 1, 16, 14, 30)
+        )
+        allow_access(course2, self.user, 'instructor')
+        course3 = CourseFactory.create(
+            display_name="TEST COURSE3",
+            start=datetime(2014, 6, 16, 14, 30),
+            end=datetime(2015, 1, 16, 14, 30)
+        )
+        allow_access(course3, self.user, 'staff')
+        test_uri = '/api/users/{}/roles/'.format(self.user.id)
+        response = self.do_get(test_uri)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.data['count'], 3)
+        # filter roleset by course
+        course_id = {'course_id': '{}'.format(unicode(course3.id))}
+        test_uri = '{}?{}'.format(test_uri, urlencode(course_id))
+        response = self.do_get(test_uri)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.data['count'], 1)
+    def test_users_roles_list_get_invalid_user(self):
+        test_uri = '/api/users/23423/roles/'
+        response = self.do_get(test_uri)
+        self.assertEqual(response.status_code, 404)
+    def test_users_roles_list_get_invalid_course(self):
+        test_uri = '/api/users/{}/roles/'.format(self.user.id)
+        course_id = {'course_id': '{}'.format(unicode(self.test_bogus_course_id))}
+        test_uri = '{}?{}'.format(test_uri, urlencode(course_id))
+        response = self.do_get(test_uri)
+        self.assertEqual(response.status_code, 404)
+    def test_users_roles_list_post(self):
+        test_uri = '/api/users/{}/roles/'.format(self.user.id)
+        response = self.do_get(test_uri)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.data['count'], 0)
+        data = {'course_id': unicode(self.course.id), 'role': 'instructor'}
+        response = self.do_post(test_uri, data)
+        self.assertEqual(response.status_code, 201)
+        response = self.do_get(test_uri)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.data['count'], 1)
+    def test_users_roles_list_post_invalid_user(self):
+        test_uri = '/api/users/2131/roles/'
+        data = {'course_id': unicode(self.course.id), 'role': 'instructor'}
+        response = self.do_post(test_uri, data)
+        self.assertEqual(response.status_code, 404)
+    def test_users_roles_list_post_invalid_course(self):
+        test_uri = '/api/users/{}/roles/'.format(self.user.id)
+        data = {'course_id': self.test_bogus_course_id, 'role': 'instructor'}
+        response = self.do_post(test_uri, data)
+        self.assertEqual(response.status_code, 404)
+    def test_users_roles_list_post_invalid_role(self):
+        test_uri = '/api/users/{}/roles/'.format(self.user.id)
+        data = {'course_id': unicode(self.course.id), 'role': 'invalid_role'}
+        response = self.do_post(test_uri, data)
+        self.assertEqual(response.status_code, 400)
+    def test_users_roles_courses_detail_delete(self):
+        test_uri = '/api/users/{}/roles/'.format(self.user.id)
+        data = {'course_id': unicode(self.course.id), 'role': 'instructor'}
+        response = self.do_post(test_uri, data)
+        self.assertEqual(response.status_code, 201)
+        response = self.do_get(test_uri)
+        self.assertEqual(response.data['count'], 1)
+        delete_uri = '{}instructor/courses/{}'.format(test_uri, unicode(self.course.id))
+        response = self.do_delete(delete_uri)
+        self.assertEqual(response.status_code, 204)
+        response = self.do_get(test_uri)
+        self.assertEqual(response.data['count'], 0)
+    def test_users_roles_courses_detail_delete_invalid_course(self):
+        test_uri = '/api/users/{}/roles/'.format(self.user.id)
+        delete_uri = '{}instructor/courses/{}'.format(test_uri, self.test_bogus_course_id)
+        response = self.do_delete(delete_uri)
+        self.assertEqual(response.status_code, 404)
+    def test_users_roles_courses_detail_delete_invalid_user(self):
+        test_uri = '/api/users/124134/roles/'
+        delete_uri = '{}instructor/courses/{}'.format(test_uri, unicode(self.course.id))
+        response = self.do_delete(delete_uri)
+        self.assertEqual(response.status_code, 404)
+    def test_users_roles_courses_detail_delete_invalid_role(self):
+        test_uri = '/api/users/{}/roles/'.format(self.user.id)
+        delete_uri = '{}invalid_role/courses/{}'.format(test_uri, unicode(self.course.id))
+        response = self.do_delete(delete_uri)
+        self.assertEqual(response.status_code, 404)
--- a/lms/djangoapps/api_manager/users/urls.py
+++ b/lms/djangoapps/api_manager/users/urls.py
@@ -22,6 +22,8 @@ urlpatterns = patterns(
    url(r'^(?P<user_id>[a-zA-Z0-9]+)/preferences$', users_views.UsersPreferences.as_view(), name='users-preferences-list'),
    url(r'^(?P<user_id>[a-zA-Z0-9]+)/preferences/(?P<preference_id>[a-zA-Z0-9_]+)$', users_views.UsersPreferencesDetail.as_view(), name='users-preferences-detail'),
    url(r'^(?P<user_id>[a-zA-Z0-9]+)/organizations/$', users_views.UsersOrganizationsList.as_view(), name='users-organizations-list'),
+    url(r'^(?P<user_id>[a-zA-Z0-9]+)/roles/(?P<role>[a-z_]+)/courses/(?P<course_id>[a-zA-Z0-9_+\/:]+)$', users_views.UsersRolesCoursesDetail.as_view(), name='users-roles-courses-detail'),
+    url(r'^(?P<user_id>[a-zA-Z0-9]+)/roles/*$', users_views.UsersRolesList.as_view(), name='users-roles-list'),
    url(r'^(?P<user_id>[a-zA-Z0-9]+)/workgroups/$', users_views.UsersWorkgroupsList.as_view(), name='users-workgroups-list'),
    url(r'^(?P<user_id>[a-zA-Z0-9]+)$', users_views.UsersDetail.as_view(), name='apimgr-users-detail'),
    url(r'/*$^', users_views.UsersList.as_view(), name='apimgr-users-list'),

--- a/lms/djangoapps/api_manager/users/views.py
+++ b/lms/djangoapps/api_manager/users/views.py
@@ -15,37 +15,32 @@ from rest_framework import status
 from rest_framework import filters
 from rest_framework.response import Response
+from courseware import grades, module_render
-from api_manager.courseware_access import get_course, get_course_child, get_course_total_score
-from api_manager.permissions import SecureAPIView, SecureListAPIView, IdsInFilterBackend, HasOrgsFilterBackend
-from api_manager.models import GroupProfile, APIUser as User
-from api_manager.organizations.serializers import OrganizationSerializer
-from api_manager.courses.serializers import CourseModuleCompletionSerializer
-from api_manager.utils import generate_base_uri
-from projects.serializers import BasicWorkgroupSerializer
-from .serializers import UserSerializer, UserCountByCitySerializer
-from courseware import module_render
 from courseware.model_data import FieldDataCache
 from courseware.models import StudentModule
-from courseware.views import get_module_for_descriptor, save_child_position, get_current_child
+from courseware.views import save_child_position, get_current_child
+from django_comment_common.models import FORUM_ROLE_MODERATOR
+from instructor.access import allow_access, revoke_access, update_forum_role
 from lang_pref import LANGUAGE_KEY
+from lms.lib.comment_client.user import User as CommentUser
+from lms.lib.comment_client.utils import CommentClientRequestError
 from student.models import CourseEnrollment, PasswordHistory, UserProfile
 from openedx.core.djangoapps.user_api.models import UserPreference
-from xmodule.modulestore.django import modulestore
+from student.roles import CourseInstructorRole, CourseStaffRole, UserBasedRole
+from util.bad_request_rate_limiter import BadRequestRateLimiter
 from util.password_policy_validators import (
    validate_password_length, validate_password_complexity,
    validate_password_dictionary
 )
-from util.bad_request_rate_limiter import BadRequestRateLimiter
-from courseware import grades
-from lms.lib.comment_client.user import User as CommentUser
+from api_manager.courses.serializers import CourseModuleCompletionSerializer
-from lms.lib.comment_client.utils import CommentClientRequestError
+from api_manager.courseware_access import get_course, get_course_child, get_course_total_score
+from api_manager.permissions import SecureAPIView, SecureListAPIView, IdsInFilterBackend, HasOrgsFilterBackend
+from api_manager.models import GroupProfile, APIUser as User
+from api_manager.organizations.serializers import OrganizationSerializer
+from api_manager.utils import generate_base_uri
+from projects.serializers import BasicWorkgroupSerializer
+from .serializers import UserSerializer, UserCountByCitySerializer, UserRolesSerializer
 log = logging.getLogger(__name__)
 AUDIT_LOG = logging.getLogger("audit")
@@ -713,8 +708,6 @@ class UsersCoursesDetail(SecureAPIView):
                return Response(response_data, status=status.HTTP_400_BAD_REQUEST)
            response_data['position'] = content_position
        return Response(response_data, status=status.HTTP_200_OK)
    def get(self, request, user_id, course_id):
@@ -1083,3 +1076,95 @@ class UsersMetricsCitiesList(SecureListAPIView):
        queryset = queryset.values('profile__city').annotate(count=Count('profile__city'))\
            .filter(count__gt=0).order_by('-count')
        return queryset
+class UsersRolesList(SecureListAPIView):
+    """
+    ### The UsersRolesList view allows clients to interact with the User's roleset
+    - URI: ```/api/users/{user_id}/courses/{course_id}/roles```
+    - GET: Returns a JSON representation of the specified Course roleset
+    ### Use Cases/Notes:
+    * Use the UsersRolesList view to manage a User's TA status
+    * Use GET to retrieve the set of roles a User plays for a particular course
+    """
+    serializer_class = UserRolesSerializer
+    def get_queryset(self):
+        user_id = self.kwargs['user_id']
+        try:
+            user = User.objects.get(id=user_id)
+        except ObjectDoesNotExist:
+            raise Http404
+        instructor_courses = UserBasedRole(user, CourseInstructorRole.ROLE).courses_with_role()
+        staff_courses = UserBasedRole(user, CourseStaffRole.ROLE).courses_with_role()
+        queryset = instructor_courses | staff_courses
+        course_id = self.request.QUERY_PARAMS.get('course_id', None)
+        if course_id:
+            course_descriptor, course_key, course_content = get_course(self.request, user, course_id, depth=None)  # pylint: disable=W0612
+            if not course_descriptor:
+                raise Http404
+            queryset = queryset.filter(course_id=course_key)
+        return queryset
+    def post(self, request, user_id):
+        """
+        POST /api/users/{user_id}/roles/
+        """
+        user_id = self.kwargs['user_id']
+        try:
+            user = User.objects.get(id=user_id)
+        except ObjectDoesNotExist:
+            raise Http404
+        course_id = request.DATA.get('course_id', None)
+        course_descriptor, course_key, course_content = get_course(self.request, self.request.user, course_id, depth=None)  # pylint: disable=W0612
+        if not course_descriptor:
+            raise Http404
+        role = request.DATA.get('role', None)
+        try:
+            allow_access(course_descriptor, user, role)
+            update_forum_role(course_key, user, FORUM_ROLE_MODERATOR, 'allow')
+        except ValueError:
+            return Response({}, status=status.HTTP_400_BAD_REQUEST)
+        return Response(request.DATA, status=status.HTTP_201_CREATED)
+class UsersRolesCoursesDetail(SecureAPIView):
+    """
+    ### The UsersRolesCoursesDetail view allows clients to interact with a specific User/Course Role
+    - URI: ```/api/users/{user_id}/roles/{role}/courses/{course_id}/```
+    - DELETE: Removes an existing Course Role specification
+    ### Use Cases/Notes:
+    * Use the DELETE operation to revoke a particular role for the specified user
+    """
+    def delete(self, request, user_id, role, course_id):  # pylint: disable=W0613
+        """
+        DELETE /api/users/{user_id}/roles/{role}/courses/{course_id}
+        """
+        course_id = self.kwargs['course_id']
+        print course_id
+        course_descriptor, course_key, course_content = get_course(self.request, self.request.user, course_id, depth=None)  # pylint: disable=W0612
+        if not course_descriptor:
+            return Response({}, status=status.HTTP_404_NOT_FOUND)
+        user_id = self.kwargs['user_id']
+        print user_id
+        try:
+            user = User.objects.get(id=user_id)
+        except ObjectDoesNotExist:
+            return Response({}, status=status.HTTP_404_NOT_FOUND)
+        role = self.kwargs['role']
+        try:
+            revoke_access(course_descriptor, user, role)
+            update_forum_role(course_key, user, FORUM_ROLE_MODERATOR, 'revoke')
+        except ValueError:
+            return Response({}, status=status.HTTP_404_NOT_FOUND)
+        return Response({}, status=status.HTTP_204_NO_CONTENT)