add distinct 'admin' role separate from 'editors'. Only 'admins' should be able…

add distinct 'admin' role separate from 'editors'. Only 'admins' should be able to add/remove editors.

add distinct 'admin' role separate from 'editors'. Only 'admins' should be able…
add distinct 'admin' role separate from 'editors'. Only 'admins' should be able to add/remove editors.
580e620b · Chris Dodge · 27016465 · 580e620b · 580e620b
Commit 580e620b authored Oct 01, 2012 by Chris Dodge
Hide whitespace changes
Inline Side-by-side

Showing with 48 additions and 24 deletions

cms/djangoapps/auth/authz.py
+38 -14

cms/djangoapps/contentstore/views.py
+10 -10

No files found.
--- a/cms/djangoapps/auth/authz.py
+++ b/cms/djangoapps/auth/authz.py
@@ -2,9 +2,14 @@ import logging
 import sys

 from django.contrib.auth.models import User, Group
+from django.core.exceptions import PermissionDenied

 from xmodule.modulestore import Location

+# define a couple of simple roles, we just need ADMIN and EDITOR now for our purposes
+ADMIN_ROLE_NAME = 'admin'
+EDITOR_ROLE_NAME = 'editor'
+
 # we're just making a Django group for each location/role combo
 # to do this we're just creating a Group name which is a formatted string
 # of those two variables
@@ -19,26 +24,45 @@ def get_users_in_course_group_by_role(location, role):
    return group.user_set.all()


+'''
+Create all permission groups for a new course and subscribe the caller into those roles
+'''
+def create_all_course_groups(creator, location):
+    create_new_course_group(creator, location, ADMIN_GROUP_NAME)
+    create_new_course_group(creator, location, EDITOR_GROUP_NAME)
+
+
+def create_new_course_group(creator, location, role):
+    groupname = get_course_groupname_for_role(location, role)
+    (group, created) =Group.get_or_create(name=groupname)
+    if created:
+        group.save()
+
+    creator.groups.add(group)
+    creator.save()
+
+    return
+
+
 def add_user_to_course_group(caller, user, location, role):
-    # @todo: make sure caller has 'admin' permissions in the course
+    # only admins can add/remove other users
+    if not is_user_in_course_group_role(caller, location, ADMIN_ROLE_NAME):
+        raise PermissionDenied
+
    if user.is_active and user.is_authenticated:
        groupname = get_course_groupname_for_role(location, role)

-        # see if the group exists, or create if new
-        (group, created) = Group.objects.get_or_create(name=groupname)
-        if created:
-            # if newly created, then we have to save it
-            group.save()
-
+        group = Group.objects.get(name=groupname)
        user.groups.add(group)
        user.save()
        return True

    return False

+
 def get_user_by_email(email):
    user = None
-    # try to look up user
+    # try to look up user, return None if not found
    try:
        user = User.objects.get(email=email)
    except:
@@ -48,17 +72,17 @@ def get_user_by_email(email):


 def remove_user_from_course_group(caller, user, location, role):
-    # @todo: make sure caller has 'admin' permissions in the course
+    # only admins can add/remove other users
+    if not is_user_in_course_group_role(caller, location, ADMIN_ROLE_NAME):
+        raise PermissionDenied

+    # see if the user is actually in that role, if not then we don't have to do anything
    if is_user_in_course_group_role(user, location, role) == True:
        groupname = get_course_groupname_for_role(location, role)

-        # make sure the group actually exists
        group = Group.objects.get(name=groupname)
-    
-        if group is not None:
-            user.groups.remove(group)
-            user.save()
+        user.groups.remove(group)
+        user.save()


 def is_user_in_course_group_role(user, location, role):

--- a/cms/djangoapps/contentstore/views.py
+++ b/cms/djangoapps/contentstore/views.py
@@ -40,7 +40,7 @@ from xmodule.contentstore.content import StaticContent

 from cache_toolbox.core import set_cached_content, get_cached_content, del_cached_content
 from auth.authz import is_user_in_course_group_role, get_users_in_course_group_by_role
-from auth.authz import get_user_by_email, add_user_to_course_group
+from auth.authz import get_user_by_email, add_user_to_course_group, ADMIN_ROLE_NAME, EDITOR_ROLE_NAME
 from .utils import get_course_location_for_item

 log = logging.getLogger(__name__)
@@ -91,7 +91,7 @@ def index(request):

 # ==== Views with per-item permissions================================

-def has_access(user, location, role='editor'):
+def has_access(user, location, role=EDITOR_ROLE_NAME):
    '''Return True if user allowed to access this piece of data'''
    '''Note that the CMS permissions model is with respect to courses'''
    return is_user_in_course_group_role(user, get_course_location_for_item(location), role)
@@ -535,11 +535,11 @@ def manage_users(request, org, course, name):
    location = ['i4x', org, course, 'course', name]
    
    # check that logged in user has permissions to this item
-    if not has_access(request.user, location):
+    if not has_access(request.user, location, role=ADMIN_ROLE_NAME):
        raise PermissionDenied()

    return render_to_response('manage_users.html', {
-        'editors': get_users_in_course_group_by_role(location, 'editor')
+        'editors': get_users_in_course_group_by_role(location, EDITOR_ROLE_NAME)
    })
    

@@ -565,8 +565,8 @@ def add_user(request, org, course, name):

    location = ['i4x', org, course, 'course', name]
    
-    # check that logged in user has permissions to this item
-    if not has_access(request.user, location):
+    # check that logged in user has admin permissions to this course
+    if not has_access(request.user, location, role=ADMIN_ROLE_NAME):
        raise PermissionDenied()
    
    user = get_user_by_email(email)
@@ -580,7 +580,7 @@ def add_user(request, org, course, name):
        return create_json_response('User {0} has registered but has not yet activated his/her account.'.format(email))

    # ok, we're cool to add to the course group
-    add_user_to_course_group(request.user, user, location, 'editor')
+    add_user_to_course_group(request.user, user, location, EDITOR_ROLE_NAME)

    return create_json_response()

@@ -595,13 +595,13 @@ def remove_user(request, org, course, name):

    location = ['i4x', org, course, 'course', name]
    
-    # check that logged in user has permissions to this item
-    if not has_access(request.user, location):
+    # check that logged in user has admin permissions on this course
+    if not has_access(request.user, location, role=ADMIN_ROLE_NAME):
        raise PermissionDenied()
    
    user = get_user_by_email(email)
    if user is not None:
-        remove_user_from_course_group(request.user, user, location, 'editor')
+        remove_user_from_course_group(request.user, user, location, EDITOR_ROLE_NAME)

    return create_json_response()