add a 'can_execute_unsafe_code' callback method (ala LMS) to allow for…

add a 'can_execute_unsafe_code' callback method (ala LMS) to allow for whitelisting of courses with respect to codejailing

add a 'can_execute_unsafe_code' callback method (ala LMS) to allow for…
add a 'can_execute_unsafe_code' callback method (ala LMS) to allow for whitelisting of courses with respect to codejailing
63ed16e1 · Chris Dodge · 221db93f · 63ed16e1
Commit 63ed16e1 authored Jul 01, 2013 by Chris Dodge
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 0 deletions

cms/djangoapps/contentstore/views/preview.py
+18 -0

No files found.
--- a/cms/djangoapps/contentstore/views/preview.py
+++ b/cms/djangoapps/contentstore/views/preview.py
 import logging
 import sys
 from functools import partial
+import re

+from django.conf import settings
 from django.http import HttpResponse, Http404, HttpResponseBadRequest, HttpResponseForbidden
 from django.core.urlresolvers import reverse
 from django.contrib.auth.decorators import login_required
@@ -21,6 +23,7 @@ import static_replace
 from .session_kv_store import SessionKeyValueStore
 from .requests import render_from_lms
 from .access import has_access
+from ..utils import get_course_for_item

 __all__ = ['preview_dispatch', 'preview_component']

@@ -93,6 +96,20 @@ def preview_module_system(request, preview_id, descriptor):
            MongoUsage(preview_id, descriptor.location.url()),
        )

+    # unfortunately this is duplicate code from module_render.py (LMS)
+    # refactoring this to be more DRY means having the change the call signature
+    # to pass along a course_id, however, deep in the code where the call is actually made, we don't always have
+    # access to the course_id
+    course_id = get_course_for_item(descriptor.location).location.course_id
+
+    def can_execute_unsafe_code():
+        # To decide if we can run unsafe code, we check the course id against
+        # a list of regexes configured on the server.
+        for regex in settings.COURSES_WITH_UNSAFE_CODE:
+            if re.match(regex, course_id):
+                return True
+        return False
+
    return ModuleSystem(
        ajax_url=reverse('preview_dispatch', args=[preview_id, descriptor.location.url(), '']).rstrip('/'),
        # TODO (cpennington): Do we want to track how instructors are using the preview problems?
@@ -104,6 +121,7 @@ def preview_module_system(request, preview_id, descriptor):
        replace_urls=partial(static_replace.replace_static_urls, data_directory=None, course_namespace=descriptor.location),
        user=request.user,
        xblock_model_data=preview_model_data,
+        can_execute_unsafe_code=can_execute_unsafe_code,
    )