Stop using authz functions to change user groups

They contain too much incorrect permission checking

Stop using authz functions to change user groups
They contain too much incorrect permission checking
607c06cb · David Baumgold · a1f43fa6 · 607c06cb
Commit 607c06cb authored Aug 01, 2013 by David Baumgold
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 16 deletions

cms/djangoapps/contentstore/views/user.py
+19 -16

No files found.
--- a/cms/djangoapps/contentstore/views/user.py
+++ b/cms/djangoapps/contentstore/views/user.py
@@ -16,10 +16,10 @@ from xmodule.modulestore import Location
 from contentstore.utils import get_lms_link_for_item
 from util.json_request import JsonResponse
 from auth.authz import (
-    STAFF_ROLE_NAME, INSTRUCTOR_ROLE_NAME,
-    add_user_to_course_group, remove_user_from_course_group,
-    get_course_groupname_for_role)
-from course_creators.views import get_course_creator_status, add_user_with_status_unrequested, user_requested_access
+    STAFF_ROLE_NAME, INSTRUCTOR_ROLE_NAME, get_course_groupname_for_role)
+from course_creators.views import (
+    get_course_creator_status, add_user_with_status_unrequested,
+    user_requested_access)

 from .access import has_access

@@ -154,16 +154,17 @@ def course_team_user(request, org, course, name, email):
        return JsonResponse(msg, 400)

    # make sure that the role groups exist
-    staff_groupname = get_course_groupname_for_role(location, "staff")
-    staff_group, __ = Group.objects.get_or_create(name=staff_groupname)
-    inst_groupname = get_course_groupname_for_role(location, "instructor")
-    inst_group, __ = Group.objects.get_or_create(name=inst_groupname)
+    groups = {}
+    for role in roles:
+        groupname = get_course_groupname_for_role(location, role)
+        group, __ = Group.objects.get_or_create(name=groupname)
+        groups[role] = group

    if request.method == "DELETE":
        # remove all roles in this course from this user: but fail if the user
        # is the last instructor in the course team
-        instructors = set(inst_group.user_set.all())
-        staff = set(staff_group.user_set.all())
+        instructors = set(groups["instructor"].user_set.all())
+        staff = set(groups["staff"].user_set.all())
        if user in instructors and len(instructors) == 1:
            msg = {
                "error": _("You may not remove the last instructor from a course")
@@ -171,9 +172,9 @@ def course_team_user(request, org, course, name, email):
            return JsonResponse(msg, 400)

        if user in instructors:
-            user.groups.remove(inst_group)
+            user.groups.remove(groups["instructor"])
        if user in staff:
-            user.groups.remove(staff_group)
+            user.groups.remove(groups["staff"])
        user.save()
        return JsonResponse()

@@ -198,19 +199,21 @@ def course_team_user(request, org, course, name, email):
                "error": _("Only instructors may create other instructors")
            }
            return JsonResponse(msg, 400)
-        add_user_to_course_group(request.user, user, location, role)
+        user.groups.add(groups["instructor"])
+        user.save()
    elif role == "staff":
        # if we're trying to downgrade a user from "instructor" to "staff",
        # make sure we have at least one other instructor in the course team.
-        instructors = set(inst_group.user_set.all())
+        instructors = set(groups["instructor"].user_set.all())
        if user in instructors:
            if len(instructors) == 1:
                msg = {
                    "error": _("You may not remove the last instructor from a course")
                }
                return JsonResponse(msg, 400)
-            remove_user_from_course_group(request.user, user, location, "instructor")
-        add_user_to_course_group(request.user, user, location, role)
+            user.groups.remove(groups["instructor"])
+        user.groups.add(groups["staff"])
+        user.save()
    return JsonResponse()