Merge pull request #9237 from edx/bderusha/teams-expand-users-api-fix

Team API include correct info when expanding users

lms/djangoapps/student_profile/test/test_views.py

@@ -40,8 +40,9 @@ class LearnerProfileViewTest(UrlResetMixin, TestCase):
         Verify learner profile page context data.
         """
         request = RequestFactory().get('/url')
+        request.user = self.user
 
-        context = learner_profile_context(self.user, self.USERNAME, self.user.is_staff, request.build_absolute_uri)
+        context = learner_profile_context(request, self.USERNAME, self.user.is_staff)
 
         self.assertEqual(
             context['data']['default_public_account_fields'],

lms/djangoapps/student_profile/views.py

@@ -40,13 +40,13 @@ def learner_profile(request, username):
     try:
         return render_to_response(
             'student_profile/learner_profile.html',
-            learner_profile_context(request.user, username, request.user.is_staff, request.build_absolute_uri)
+            learner_profile_context(request, username, request.user.is_staff)
         )
     except (UserNotAuthorized, UserNotFound, ObjectDoesNotExist):
         raise Http404
 
 
-def learner_profile_context(logged_in_user, profile_username, user_is_staff, build_absolute_uri_func):
+def learner_profile_context(request, profile_username, user_is_staff):
     """Context for the learner profile page.
 
     Args:
@@ -62,14 +62,11 @@ def learner_profile_context(logged_in_user, profile_username, user_is_staff, bui
         ObjectDoesNotExist: the specified profile_username does not exist.
     """
     profile_user = User.objects.get(username=profile_username)
+    logged_in_user = request.user
 
     own_profile = (logged_in_user.username == profile_username)
 
-    account_settings_data = get_account_settings(logged_in_user, profile_username)
-    # Account for possibly relative URLs.
-    for key, value in account_settings_data['profile_image'].items():
-        if key.startswith(PROFILE_IMAGE_KEY_PREFIX):
-            account_settings_data['profile_image'][key] = build_absolute_uri_func(value)
+    account_settings_data = get_account_settings(request, profile_username)
 
     preferences_data = get_user_preferences(profile_user, profile_username)
 

lms/djangoapps/teams/__init__.py

+"""
+Defines common methods shared by Teams classes
+"""
+
+from django.conf import settings
+
+
+def is_feature_enabled(course):
+    """
+    Returns True if the teams feature is enabled.
+    """
+    return settings.FEATURES.get('ENABLE_TEAMS', False) and course.teams_enabled

lms/djangoapps/teams/plugins.py

 """
 Definition of the course team feature.
 """
-
 from django.utils.translation import ugettext_noop
 from courseware.tabs import EnrolledTab
-from .views import is_feature_enabled
+from teams import is_feature_enabled
 
 
 class TeamsTab(EnrolledTab):

lms/djangoapps/teams/serializers.py

 """Defines serializers used by the Team API."""
-
+from copy import deepcopy
 from django.contrib.auth.models import User
 from django.db.models import Count
+from django.conf import settings
 
 from rest_framework import serializers
 
 from openedx.core.lib.api.serializers import CollapsedReferenceSerializer, PaginationSerializer
 from openedx.core.lib.api.fields import ExpandableField
-from openedx.core.djangoapps.user_api.serializers import UserSerializer
+from openedx.core.djangoapps.user_api.accounts.serializers import UserReadOnlySerializer
 
 from .models import CourseTeam, CourseTeamMembership
 
@@ -17,6 +18,10 @@ class UserMembershipSerializer(serializers.ModelSerializer):
 
     Used for listing team members.
     """
+    profile_configuration = deepcopy(settings.ACCOUNT_VISIBILITY_CONFIGURATION)
+    profile_configuration['shareable_fields'].append('url')
+    profile_configuration['public_fields'].append('url')
+
     user = ExpandableField(
         collapsed_serializer=CollapsedReferenceSerializer(
             model_class=User,
@@ -24,7 +29,7 @@ class UserMembershipSerializer(serializers.ModelSerializer):
             view_name='accounts_api',
             read_only=True,
         ),
-        expanded_serializer=UserSerializer(),
+        expanded_serializer=UserReadOnlySerializer(configuration=profile_configuration),
     )
 
     class Meta(object):
@@ -87,6 +92,10 @@ class CourseTeamCreationSerializer(serializers.ModelSerializer):
 
 class MembershipSerializer(serializers.ModelSerializer):
     """Serializes CourseTeamMemberships with information about both teams and users."""
+    profile_configuration = deepcopy(settings.ACCOUNT_VISIBILITY_CONFIGURATION)
+    profile_configuration['shareable_fields'].append('url')
+    profile_configuration['public_fields'].append('url')
+
     user = ExpandableField(
         collapsed_serializer=CollapsedReferenceSerializer(
             model_class=User,
@@ -94,7 +103,7 @@ class MembershipSerializer(serializers.ModelSerializer):
             view_name='accounts_api',
             read_only=True,
         ),
-        expanded_serializer=UserSerializer(read_only=True)
+        expanded_serializer=UserReadOnlySerializer(configuration=profile_configuration)
     )
     team = ExpandableField(
         collapsed_serializer=CollapsedReferenceSerializer(

lms/djangoapps/teams/tests/test_views.py

@@ -110,7 +110,7 @@ class TeamAPITestCase(APITestCase, SharedModuleStoreTestCase):
     @classmethod
     def setUpClass(cls):
         super(TeamAPITestCase, cls).setUpClass()
-        teams_configuration = {
+        teams_configuration_1 = {
             'topics':
             [
                 {
@@ -124,9 +124,30 @@ class TeamAPITestCase(APITestCase, SharedModuleStoreTestCase):
             org='TestX',
             course='TS101',
             display_name='Test Course',
-            teams_configuration=teams_configuration
+            teams_configuration=teams_configuration_1
+        )
+
+        teams_configuration_2 = {
+            'topics':
+            [
+                {
+                    'id': 'topic_5',
+                    'name': 'Other Interests',
+                    'description': 'Description for topic 5.'
+                },
+                {
+                    'id': 'topic_6',
+                    'name': 'Public Profiles',
+                    'description': 'Description for topic 6.'
+                },
+            ]
+        }
+        cls.test_course_2 = CourseFactory.create(
+            org='MIT',
+            course='6.002x',
+            display_name='Circuits',
+            teams_configuration=teams_configuration_2
         )
-        cls.test_course_2 = CourseFactory.create(org='MIT', course='6.002x', display_name='Circuits')
 
     def setUp(self):
         super(TeamAPITestCase, self).setUp()
@@ -152,6 +173,15 @@ class TeamAPITestCase(APITestCase, SharedModuleStoreTestCase):
             username='student_enrolled_both_courses_other_team'
         )
 
+        # Make this student have a public profile
+        self.create_and_enroll_student(
+            courses=[self.test_course_2],
+            username='student_enrolled_public_profile'
+        )
+        profile = self.users['student_enrolled_public_profile'].profile
+        profile.year_of_birth = 1970
+        profile.save()
+
         # 'solar team' is intentionally lower case to test case insensitivity in name ordering
         self.test_team_1 = CourseTeamFactory.create(
             name=u'sólar team',
@@ -162,11 +192,13 @@ class TeamAPITestCase(APITestCase, SharedModuleStoreTestCase):
         self.test_team_3 = CourseTeamFactory.create(name='Nuclear Team', course_id=self.test_course_1.id)
         self.test_team_4 = CourseTeamFactory.create(name='Coal Team', course_id=self.test_course_1.id, is_active=False)
         self.test_team_5 = CourseTeamFactory.create(name='Another Team', course_id=self.test_course_2.id)
+        self.test_team_6 = CourseTeamFactory.create(
+            name='Public Profile Team',
+            course_id=self.test_course_2.id,
+            topic_id='topic_6'
+        )
 
-        for user, course in [
-                ('staff', self.test_course_1),
-                ('course_staff', self.test_course_1),
-        ]:
+        for user, course in [('staff', self.test_course_1), ('course_staff', self.test_course_1)]:
             CourseEnrollment.enroll(
                 self.users[user], course.id, check_access=True
             )
@@ -174,6 +206,7 @@ class TeamAPITestCase(APITestCase, SharedModuleStoreTestCase):
         self.test_team_1.add_user(self.users['student_enrolled'])
         self.test_team_3.add_user(self.users['student_enrolled_both_courses_other_team'])
         self.test_team_5.add_user(self.users['student_enrolled_both_courses_other_team'])
+        self.test_team_6.add_user(self.users['student_enrolled_public_profile'])
 
     def create_and_enroll_student(self, courses=None, username=None):
         """ Creates a new student and enrolls that student in the course.
@@ -305,11 +338,18 @@ class TeamAPITestCase(APITestCase, SharedModuleStoreTestCase):
             **kwargs
         )
 
-    def verify_expanded_user(self, user):
+    def verify_expanded_public_user(self, user):
         """Verifies that fields exist on the returned user json indicating that it is expanded."""
-        for field in ['id', 'url', 'email', 'name', 'username', 'preferences']:
+        for field in ['username', 'url', 'bio', 'country', 'profile_image', 'time_zone', 'language_proficiencies']:
             self.assertIn(field, user)
 
+    def verify_expanded_private_user(self, user):
+        """Verifies that fields exist on the returned user json indicating that it is expanded."""
+        for field in ['username', 'url', 'profile_image']:
+            self.assertIn(field, user)
+        for field in ['bio', 'country', 'time_zone', 'language_proficiencies']:
+            self.assertNotIn(field, user)
+
     def verify_expanded_team(self, team):
         """Verifies that fields exist on the returned team json indicating that it is expanded."""
         for field in ['id', 'name', 'is_active', 'course_id', 'topic_id', 'date_created', 'description']:
@@ -347,7 +387,12 @@ class TestListTeamsAPI(TeamAPITestCase):
         self.verify_names({'course_id': 'no_such_course'}, 400)
 
     def test_filter_course_id(self):
-        self.verify_names({'course_id': self.test_course_2.id}, 200, ['Another Team'], user='staff')
+        self.verify_names(
+            {'course_id': self.test_course_2.id},
+            200,
+            ['Another Team', 'Public Profile Team'],
+            user='staff'
+        )
 
     def test_filter_topic_id(self):
         self.verify_names({'course_id': self.test_course_1.id, 'topic_id': 'topic_0'}, 200, [u'sólar team'])
@@ -386,9 +431,22 @@ class TestListTeamsAPI(TeamAPITestCase):
         self.assertIsNone(result['next'])
         self.assertIsNotNone(result['previous'])
 
-    def test_expand_user(self):
+    def test_expand_private_user(self):
+        # Use the default user which is already private because to year_of_birth is set
         result = self.get_teams_list(200, {'expand': 'user', 'topic_id': 'topic_0'})
-        self.verify_expanded_user(result['results'][0]['membership'][0]['user'])
+        self.verify_expanded_private_user(result['results'][0]['membership'][0]['user'])
+
+    def test_expand_public_user(self):
+        result = self.get_teams_list(
+            200,
+            {
+                'expand': 'user',
+                'topic_id': 'topic_6',
+                'course_id': self.test_course_2.id
+            },
+            user='student_enrolled_public_profile'
+        )
+        self.verify_expanded_public_user(result['results'][0]['membership'][0]['user'])
 
 
 @ddt.ddt
@@ -515,9 +573,19 @@ class TestDetailTeamAPI(TeamAPITestCase):
     def test_does_not_exist(self):
         self.get_team_detail('no_such_team', 404)
 
-    def test_expand_user(self):
+    def test_expand_private_user(self):
+        # Use the default user which is already private because to year_of_birth is set
         result = self.get_team_detail(self.test_team_1.team_id, 200, {'expand': 'user'})
-        self.verify_expanded_user(result['membership'][0]['user'])
+        self.verify_expanded_private_user(result['membership'][0]['user'])
+
+    def test_expand_public_user(self):
+        result = self.get_team_detail(
+            self.test_team_6.team_id,
+            200,
+            {'expand': 'user'},
+            user='student_enrolled_public_profile'
+        )
+        self.verify_expanded_public_user(result['membership'][0]['user'])
 
 
 @ddt.ddt
@@ -715,9 +783,18 @@ class TestListMembershipAPI(TeamAPITestCase):
     def test_bad_team_id(self):
         self.get_membership_list(404, {'team_id': 'no_such_team'})
 
-    def test_expand_user(self):
+    def test_expand_private_user(self):
+        # Use the default user which is already private because to year_of_birth is set
         result = self.get_membership_list(200, {'team_id': self.test_team_1.team_id, 'expand': 'user'})
-        self.verify_expanded_user(result['results'][0]['user'])
+        self.verify_expanded_private_user(result['results'][0]['user'])
+
+    def test_expand_public_user(self):
+        result = self.get_membership_list(
+            200,
+            {'team_id': self.test_team_6.team_id, 'expand': 'user'},
+            user='student_enrolled_public_profile'
+        )
+        self.verify_expanded_public_user(result['results'][0]['user'])
 
     def test_expand_team(self):
         result = self.get_membership_list(200, {'team_id': self.test_team_1.team_id, 'expand': 'team'})
@@ -842,14 +919,25 @@ class TestDetailMembershipAPI(TeamAPITestCase):
             404
         )
 
-    def test_expand_user(self):
+    def test_expand_private_user(self):
+        # Use the default user which is already private because to year_of_birth is set
         result = self.get_membership_detail(
             self.test_team_1.team_id,
             self.users['student_enrolled'].username,
             200,
             {'expand': 'user'}
         )
-        self.verify_expanded_user(result['user'])
+        self.verify_expanded_private_user(result['user'])
+
+    def test_expand_public_user(self):
+        result = self.get_membership_detail(
+            self.test_team_6.team_id,
+            self.users['student_enrolled_public_profile'].username,
+            200,
+            {'expand': 'user'},
+            user='student_enrolled_public_profile'
+        )
+        self.verify_expanded_public_user(result['user'])
 
     def test_expand_team(self):
         result = self.get_membership_detail(

lms/djangoapps/teams/views.py

 """HTTP endpoints for the Teams API."""
 
 from django.shortcuts import render_to_response
-from courseware.courses import get_course_with_access, has_access
 from django.http import Http404
 from django.conf import settings
 from django.core.paginator import Paginator
 from django.views.generic.base import View
 import newrelic.agent
-
 from rest_framework.generics import GenericAPIView
 from rest_framework.response import Response
 from rest_framework.reverse import reverse
@@ -18,16 +16,11 @@ from rest_framework.authentication import (
 )
 from rest_framework import status
 from rest_framework import permissions
-
 from django.db.models import Count
 from django.contrib.auth.models import User
 from django_countries import countries
 from django.utils.translation import ugettext as _
 from django.utils.translation import ugettext_noop
-
-from student.models import CourseEnrollment, CourseAccessRole
-from student.roles import CourseStaffRole
-
 from openedx.core.lib.api.parsers import MergePatchParser
 from openedx.core.lib.api.permissions import IsStaffOrReadOnly
 from openedx.core.lib.api.view_utils import (
@@ -37,14 +30,15 @@ from openedx.core.lib.api.view_utils import (
     ExpandableFieldViewMixin
 )
 from openedx.core.lib.api.serializers import PaginationSerializer
-
 from xmodule.modulestore.django import modulestore
-
 from opaque_keys import InvalidKeyError
 from opaque_keys.edx.keys import CourseKey
 
+from courseware.courses import get_course_with_access, has_access
+from student.models import CourseEnrollment, CourseAccessRole
+from student.roles import CourseStaffRole
 from django_comment_client.utils import has_discussion_privileges
-
+from teams import is_feature_enabled
 from .models import CourseTeam, CourseTeamMembership
 from .serializers import (
     CourseTeamSerializer,
@@ -58,7 +52,6 @@ from .serializers import (
 from .errors import AlreadyOnTeamInCourse, NotEnrolledInCourseForTeam
 
 
-# Constants
 TEAM_MEMBERSHIPS_PER_PAGE = 2
 TOPICS_PER_PAGE = 12
 
@@ -120,13 +113,6 @@ class TeamsDashboardView(View):
         return render_to_response("teams/teams.html", context)
 
 
-def is_feature_enabled(course):
-    """
-    Returns True if the teams feature is enabled.
-    """
-    return settings.FEATURES.get('ENABLE_TEAMS', False) and course.teams_enabled
-
-
 def has_team_api_access(user, course_key, access_username=None):
     """Returns True if the user has access to the Team API for the course
     given by `course_key`. The user must either be enrolled in the course,

lms/djangoapps/verify_student/tests/test_views.py

@@ -1482,7 +1482,9 @@ class TestSubmitPhotosForVerification(TestCase):
             AssertionError
 
         """
-        account_settings = get_account_settings(self.user)
+        request = RequestFactory().get('/url')
+        request.user = self.user
+        account_settings = get_account_settings(request)
         self.assertEqual(account_settings['name'], full_name)
 
     def _get_post_data(self):

lms/envs/common.py

@@ -2520,6 +2520,25 @@ ACCOUNT_VISIBILITY_CONFIGURATION = {
         'username',
         'profile_image',
     ],
+
+    # The list of account fields that are visible only to staff and users viewing their own profiles
+    "admin_fields": [
+        "username",
+        "email",
+        "date_joined",
+        "is_active",
+        "bio",
+        "country",
+        "profile_image",
+        "language_proficiencies",
+        "name",
+        "gender",
+        "goals",
+        "year_of_birth",
+        "level_of_education",
+        "mailing_address",
+        "requires_parental_consent",
+    ]
 }
 
 # E-Commerce API Configuration

openedx/core/djangoapps/user_api/accounts/api.py

@@ -22,84 +22,67 @@ from ..helpers import intercept_errors
 from ..models import UserPreference
 
 from . import (
-    ACCOUNT_VISIBILITY_PREF_KEY, ALL_USERS_VISIBILITY, PRIVATE_VISIBILITY,
+    ACCOUNT_VISIBILITY_PREF_KEY, PRIVATE_VISIBILITY,
     EMAIL_MIN_LENGTH, EMAIL_MAX_LENGTH, PASSWORD_MIN_LENGTH, PASSWORD_MAX_LENGTH,
     USERNAME_MIN_LENGTH, USERNAME_MAX_LENGTH
 )
-from .serializers import AccountLegacyProfileSerializer, AccountUserSerializer
+from .serializers import (
+    AccountLegacyProfileSerializer, AccountUserSerializer,
+    UserReadOnlySerializer
+)
 
 
 @intercept_errors(UserAPIInternalError, ignore_errors=[UserAPIRequestError])
-def get_account_settings(requesting_user, username=None, configuration=None, view=None):
+def get_account_settings(request, username=None, configuration=None, view=None):
     """Returns account information for a user serialized as JSON.
 
     Note:
-        If `requesting_user.username` != `username`, this method will return differing amounts of information
-        based on who `requesting_user` is and the privacy settings of the user associated with `username`.
+        If `request.user.username` != `username`, this method will return differing amounts of information
+        based on who `request.user` is and the privacy settings of the user associated with `username`.
 
     Args:
-        requesting_user (User): The user requesting the account information. Only the user with username
-            `username` or users with "is_staff" privileges can get full account information.
-            Other users will get the account fields that the user has elected to share.
+        request (Request): The request object with account information about the requesting user.
+            Only the user with username `username` or users with "is_staff" privileges can get full
+            account information. Other users will get the account fields that the user has elected to share.
         username (str): Optional username for the desired account information. If not specified,
-            `requesting_user.username` is assumed.
+            `request.user.username` is assumed.
         configuration (dict): an optional configuration specifying which fields in the account
             can be shared, and the default visibility settings. If not present, the setting value with
             key ACCOUNT_VISIBILITY_CONFIGURATION is used.
         view (str): An optional string allowing "is_staff" users and users requesting their own
             account information to get just the fields that are shared with everyone. If view is
-            "shared", only shared account information will be returned, regardless of `requesting_user`.
+            "shared", only shared account information will be returned, regardless of `request.user`.
 
     Returns:
          A dict containing account fields.
 
     Raises:
-         UserNotFound: no user with username `username` exists (or `requesting_user.username` if
+         UserNotFound: no user with username `username` exists (or `request.user.username` if
             `username` is not specified)
          UserAPIInternalError: the operation failed due to an unexpected error.
     """
+    requesting_user = request.user
+
     if username is None:
         username = requesting_user.username
 
-    has_full_access = requesting_user.username == username or requesting_user.is_staff
-    return_all_fields = has_full_access and view != 'shared'
-
-    existing_user, existing_user_profile = _get_user_and_profile(username)
-
-    user_serializer = AccountUserSerializer(existing_user)
-    legacy_profile_serializer = AccountLegacyProfileSerializer(existing_user_profile)
-
-    account_settings = dict(user_serializer.data, **legacy_profile_serializer.data)
-
-    if return_all_fields:
-        return account_settings
-
-    if not configuration:
-        configuration = settings.ACCOUNT_VISIBILITY_CONFIGURATION
-
-    visible_settings = {}
+    try:
+        existing_user = User.objects.get(username=username)
+    except ObjectDoesNotExist:
+        raise UserNotFound()
 
-    profile_visibility = _get_profile_visibility(existing_user_profile, configuration)
-    if profile_visibility == ALL_USERS_VISIBILITY:
-        field_names = configuration.get('shareable_fields')
+    has_full_access = requesting_user.username == username or requesting_user.is_staff
+    if has_full_access and view != 'shared':
+        admin_fields = settings.ACCOUNT_VISIBILITY_CONFIGURATION.get('admin_fields')
     else:
-        field_names = configuration.get('public_fields')
-
-    for field_name in field_names:
-        visible_settings[field_name] = account_settings.get(field_name, None)
-
-    return visible_settings
-
-
-def _get_profile_visibility(user_profile, configuration):
-    """Returns the visibility level for the specified user profile."""
-    if user_profile.requires_parental_consent():
-        return PRIVATE_VISIBILITY
-
-    # Calling UserPreference directly because the requesting user may be different from existing_user
-    # (and does not have to be is_staff).
-    profile_privacy = UserPreference.get_value(user_profile.user, ACCOUNT_VISIBILITY_PREF_KEY)
-    return profile_privacy if profile_privacy else configuration.get('default_visibility')
+        admin_fields = None
+
+    return UserReadOnlySerializer(
+        existing_user,
+        configuration=configuration,
+        custom_fields=admin_fields,
+        context={'request': request}
+    ).data
 
 
 @intercept_errors(UserAPIInternalError, ignore_errors=[UserAPIRequestError])

openedx/core/djangoapps/user_api/accounts/image_helpers.py

@@ -72,7 +72,7 @@ def get_profile_image_names(username):
     return {size: _get_profile_image_filename(name, size) for size in _PROFILE_IMAGE_SIZES}
 
 
-def get_profile_image_urls_for_user(user):
+def get_profile_image_urls_for_user(user, request=None):
     """
     Return a dict {size:url} for each profile image for a given user.
     Notes:
@@ -93,13 +93,19 @@ def get_profile_image_urls_for_user(user):
 
     """
     if user.profile.has_profile_image:
-        return _get_profile_image_urls(
+        urls = _get_profile_image_urls(
             _make_profile_image_name(user.username),
             get_profile_image_storage(),
             version=user.profile.profile_image_uploaded_at.strftime("%s"),
         )
     else:
-        return _get_default_profile_image_urls()
+        urls = _get_default_profile_image_urls()
+
+    if request:
+        for key, value in urls.items():
+            urls[key] = request.build_absolute_uri(value)
+
+    return urls
 
 
 def _get_default_profile_image_urls():

openedx/core/djangoapps/user_api/accounts/serializers.py

 from rest_framework import serializers
 from django.contrib.auth.models import User
+from django.conf import settings
+from django.core.urlresolvers import reverse
 from openedx.core.djangoapps.user_api.accounts import NAME_MIN_LENGTH
 from openedx.core.djangoapps.user_api.serializers import ReadOnlyFieldsSerializerMixin
 
 from student.models import UserProfile, LanguageProficiency
+from ..models import UserPreference
 from .image_helpers import get_profile_image_urls_for_user
+from . import (
+    ACCOUNT_VISIBILITY_PREF_KEY, ALL_USERS_VISIBILITY, PRIVATE_VISIBILITY,
+)
 
 
 PROFILE_IMAGE_KEY_PREFIX = 'image_url'
@@ -32,6 +38,104 @@ class LanguageProficiencySerializer(serializers.ModelSerializer):
             return None
 
 
+class UserReadOnlySerializer(serializers.Serializer):
+    """
+    Class that serializes the User model and UserProfile model together.
+    """
+    def __init__(self, *args, **kwargs):
+        # Don't pass the 'configuration' arg up to the superclass
+        self.configuration = kwargs.pop('configuration', None)
+        if not self.configuration:
+            self.configuration = settings.ACCOUNT_VISIBILITY_CONFIGURATION
+
+        # Don't pass the 'custom_fields' arg up to the superclass
+        self.custom_fields = kwargs.pop('custom_fields', None)
+
+        super(UserReadOnlySerializer, self).__init__(*args, **kwargs)
+
+    def to_native(self, user):
+        """
+        Overwrite to_native to handle custom logic since we are serializing two models as one here
+        :param user: User object
+        :return: Dict serialized account
+        """
+        profile = user.profile
+
+        data = {
+            "username": user.username,
+            "url": self.context.get('request').build_absolute_uri(
+                reverse('accounts_api', kwargs={'username': user.username})
+            ),
+            "email": user.email,
+            "date_joined": user.date_joined,
+            "is_active": user.is_active,
+            "bio": AccountLegacyProfileSerializer.convert_empty_to_None(profile.bio),
+            "country": AccountLegacyProfileSerializer.convert_empty_to_None(profile.country.code),
+            "profile_image": AccountLegacyProfileSerializer.get_profile_image(
+                profile,
+                user,
+                self.context.get('request')
+            ),
+            "time_zone": None,
+            "language_proficiencies": LanguageProficiencySerializer(
+                profile.language_proficiencies.all(),
+                many=True
+            ).data,
+            "name": profile.name,
+            "gender": AccountLegacyProfileSerializer.convert_empty_to_None(profile.gender),
+            "goals": profile.goals,
+            "year_of_birth": profile.year_of_birth,
+            "level_of_education": AccountLegacyProfileSerializer.convert_empty_to_None(profile.level_of_education),
+            "mailing_address": profile.mailing_address,
+            "requires_parental_consent": profile.requires_parental_consent(),
+        }
+
+        return self._filter_fields(
+            self._visible_fields(profile, user),
+            data
+        )
+
+    def _visible_fields(self, user_profile, user):
+        """
+        Return what fields should be visible based on user settings
+
+        :param user_profile: User profile object
+        :param user: User object
+        :return: whitelist List of fields to be shown
+        """
+
+        if self.custom_fields:
+            return self.custom_fields
+
+        profile_visibility = self._get_profile_visibility(user_profile, user)
+
+        if profile_visibility == ALL_USERS_VISIBILITY:
+            return self.configuration.get('shareable_fields')
+        else:
+            return self.configuration.get('public_fields')
+
+    def _get_profile_visibility(self, user_profile, user):
+        """Returns the visibility level for the specified user profile."""
+        if user_profile.requires_parental_consent():
+            return PRIVATE_VISIBILITY
+
+        # Calling UserPreference directly because the requesting user may be different from existing_user
+        # (and does not have to be is_staff).
+        profile_privacy = UserPreference.get_value(user, ACCOUNT_VISIBILITY_PREF_KEY)
+        return profile_privacy if profile_privacy else self.configuration.get('default_visibility')
+
+    def _filter_fields(self, field_whitelist, serialized_account):
+        """
+        Filter serialized account Dict to only include whitelisted keys
+        """
+        visible_serialized_account = {}
+
+        for field_name in field_whitelist:
+            visible_serialized_account[field_name] = serialized_account.get(field_name, None)
+
+        return visible_serialized_account
+
+
 class AccountUserSerializer(serializers.HyperlinkedModelSerializer, ReadOnlyFieldsSerializerMixin):
     """
     Class that serializes the portion of User model needed for account information.
@@ -47,7 +151,7 @@ class AccountLegacyProfileSerializer(serializers.HyperlinkedModelSerializer, Rea
     """
     Class that serializes the portion of UserProfile model needed for account information.
     """
-    profile_image = serializers.SerializerMethodField("get_profile_image")
+    profile_image = serializers.SerializerMethodField("_get_profile_image")
     requires_parental_consent = serializers.SerializerMethodField("get_requires_parental_consent")
     language_proficiencies = LanguageProficiencySerializer(many=True, allow_add_remove=True, required=False)
 
@@ -102,10 +206,11 @@ class AccountLegacyProfileSerializer(serializers.HyperlinkedModelSerializer, Rea
         """ Helper method to convert empty string to None (other values pass through). """
         return None if value == "" else value
 
-    def get_profile_image(self, user_profile):
+    @staticmethod
+    def get_profile_image(user_profile, user, request=None):
         """ Returns metadata about a user's profile image. """
         data = {'has_image': user_profile.has_profile_image}
-        urls = get_profile_image_urls_for_user(user_profile.user)
+        urls = get_profile_image_urls_for_user(user, request)
         data.update({
             '{image_key_prefix}_{size}'.format(image_key_prefix=PROFILE_IMAGE_KEY_PREFIX, size=size_display_name): url
             for size_display_name, url in urls.items()
@@ -115,3 +220,13 @@ class AccountLegacyProfileSerializer(serializers.HyperlinkedModelSerializer, Rea
     def get_requires_parental_consent(self, user_profile):
         """ Returns a boolean representing whether the user requires parental controls.  """
         return user_profile.requires_parental_consent()
+
+    def _get_profile_image(self, user_profile):
+        """
+        Returns metadata about a user's profile image
+
+        This protected method delegates to the static 'get_profile_image' method
+        because 'serializers.SerializerMethodField("_get_profile_image")' will
+        call the method with a single argument, the user_profile object.
+        """
+        return AccountLegacyProfileSerializer.get_profile_image(user_profile, user_profile.user)

openedx/core/djangoapps/user_api/accounts/tests/test_api.py

@@ -15,6 +15,7 @@ from student.tests.factories import UserFactory
 from django.conf import settings
 from django.contrib.auth.models import User
 from django.core import mail
+from django.test.client import RequestFactory
 from student.models import PendingEmailChange
 from student.tests.tests import UserSettingsEventTestMixin
 from ...errors import (
@@ -43,21 +44,24 @@ class TestAccountApi(UserSettingsEventTestMixin, TestCase):
 
     def setUp(self):
         super(TestAccountApi, self).setUp()
+        self.request_factory = RequestFactory()
         self.table = "student_languageproficiency"
         self.user = UserFactory.create(password=self.password)
+        self.default_request = self.request_factory.get("/api/user/v1/accounts/")
+        self.default_request.user = self.user
         self.different_user = UserFactory.create(password=self.password)
         self.staff_user = UserFactory(is_staff=True, password=self.password)
         self.reset_tracker()
 
     def test_get_username_provided(self):
         """Test the difference in behavior when a username is supplied to get_account_settings."""
-        account_settings = get_account_settings(self.user)
+        account_settings = get_account_settings(self.default_request)
         self.assertEqual(self.user.username, account_settings["username"])
 
-        account_settings = get_account_settings(self.user, username=self.user.username)
+        account_settings = get_account_settings(self.default_request, username=self.user.username)
         self.assertEqual(self.user.username, account_settings["username"])
 
-        account_settings = get_account_settings(self.user, username=self.different_user.username)
+        account_settings = get_account_settings(self.default_request, username=self.different_user.username)
         self.assertEqual(self.different_user.username, account_settings["username"])
 
     def test_get_configuration_provided(self):
@@ -75,29 +79,35 @@ class TestAccountApi(UserSettingsEventTestMixin, TestCase):
         }
 
         # With default configuration settings, email is not shared with other (non-staff) users.
-        account_settings = get_account_settings(self.user, self.different_user.username)
+        account_settings = get_account_settings(self.default_request, self.different_user.username)
         self.assertFalse("email" in account_settings)
 
-        account_settings = get_account_settings(self.user, self.different_user.username, configuration=config)
+        account_settings = get_account_settings(
+            self.default_request,
+            self.different_user.username,
+            configuration=config
+        )
         self.assertEqual(self.different_user.email, account_settings["email"])
 
     def test_get_user_not_found(self):
         """Test that UserNotFound is thrown if there is no user with username."""
         with self.assertRaises(UserNotFound):
-            get_account_settings(self.user, username="does_not_exist")
+            get_account_settings(self.default_request, username="does_not_exist")
 
         self.user.username = "does_not_exist"
+        request = self.request_factory.get("/api/user/v1/accounts/")
+        request.user = self.user
         with self.assertRaises(UserNotFound):
-            get_account_settings(self.user)
+            get_account_settings(request)
 
     def test_update_username_provided(self):
         """Test the difference in behavior when a username is supplied to update_account_settings."""
         update_account_settings(self.user, {"name": "Mickey Mouse"})
-        account_settings = get_account_settings(self.user)
+        account_settings = get_account_settings(self.default_request)
         self.assertEqual("Mickey Mouse", account_settings["name"])
 
         update_account_settings(self.user, {"name": "Donald Duck"}, username=self.user.username)
-        account_settings = get_account_settings(self.user)
+        account_settings = get_account_settings(self.default_request)
         self.assertEqual("Donald Duck", account_settings["name"])
 
         with self.assertRaises(UserNotAuthorized):
@@ -171,7 +181,7 @@ class TestAccountApi(UserSettingsEventTestMixin, TestCase):
         self.assertIn("Error thrown from do_email_change_request", context_manager.exception.developer_message)
 
         # Verify that the name change happened, even though the attempt to send the email failed.
-        account_settings = get_account_settings(self.user)
+        account_settings = get_account_settings(self.default_request)
         self.assertEqual("Mickey Mouse", account_settings["name"])
 
     @patch('openedx.core.djangoapps.user_api.accounts.serializers.AccountUserSerializer.save')
@@ -229,7 +239,9 @@ class AccountSettingsOnCreationTest(TestCase):
 
         # Retrieve the account settings
         user = User.objects.get(username=self.USERNAME)
-        account_settings = get_account_settings(user)
+        request = RequestFactory().get("/api/user/v1/accounts/")
+        request.user = user
+        account_settings = get_account_settings(request)
 
         # Expect a date joined field but remove it to simplify the following comparison
         self.assertIsNotNone(account_settings['date_joined'])
@@ -250,8 +262,8 @@ class AccountSettingsOnCreationTest(TestCase):
             'bio': None,
             'profile_image': {
                 'has_image': False,
-                'image_url_full': '/static/default_50.png',
-                'image_url_small': '/static/default_10.png',
+                'image_url_full': request.build_absolute_uri('/static/default_50.png'),
+                'image_url_small': request.build_absolute_uri('/static/default_10.png'),
             },
             'requires_parental_consent': True,
             'language_proficiencies': [],
@@ -303,18 +315,22 @@ class AccountCreationActivationAndPasswordChangeTest(TestCase):
         u'a' * (PASSWORD_MAX_LENGTH + 1)
     ]
 
+    @unittest.skipUnless(settings.ROOT_URLCONF == 'lms.urls', 'Test only valid in lms')
     def test_activate_account(self):
         # Create the account, which is initially inactive
         activation_key = create_account(self.USERNAME, self.PASSWORD, self.EMAIL)
         user = User.objects.get(username=self.USERNAME)
-        account = get_account_settings(user)
+
+        request = RequestFactory().get("/api/user/v1/accounts/")
+        request.user = user
+        account = get_account_settings(request)
         self.assertEqual(self.USERNAME, account["username"])
         self.assertEqual(self.EMAIL, account["email"])
         self.assertFalse(account["is_active"])
 
         # Activate the account and verify that it is now active
         activate_account(activation_key)
-        account = get_account_settings(user)
+        account = get_account_settings(request)
         self.assertTrue(account['is_active'])
 
     def test_create_account_duplicate_username(self):

openedx/core/djangoapps/user_api/accounts/tests/test_views.py

@@ -321,11 +321,12 @@ class TestAccountAPI(UserAPITestCase):
         legacy_profile.country = ""
         legacy_profile.level_of_education = ""
         legacy_profile.gender = ""
+        legacy_profile.bio = ""
         legacy_profile.save()
 
         self.client.login(username=self.user.username, password=self.test_password)
         response = self.send_get(self.client)
-        for empty_field in ("level_of_education", "gender", "country"):
+        for empty_field in ("level_of_education", "gender", "country", "bio"):
             self.assertIsNone(response.data[empty_field])
 
     @ddt.data(

openedx/core/djangoapps/user_api/accounts/views.py

@@ -146,11 +146,7 @@ class AccountView(APIView):
         GET /api/user/v1/accounts/{username}/
         """
         try:
-            account_settings = get_account_settings(request.user, username, view=request.QUERY_PARAMS.get('view'))
-            # Account for possibly relative URLs.
-            for key, value in account_settings['profile_image'].items():
-                if key.startswith(PROFILE_IMAGE_KEY_PREFIX):
-                    account_settings['profile_image'][key] = request.build_absolute_uri(value)
+            account_settings = get_account_settings(request, username, view=request.QUERY_PARAMS.get('view'))
         except UserNotFound:
             return Response(status=status.HTTP_403_FORBIDDEN if request.user.is_staff else status.HTTP_404_NOT_FOUND)
 

openedx/core/djangoapps/user_api/tests/test_views.py

@@ -18,6 +18,7 @@ from django.contrib.auth.models import User
 from django.test import TestCase
 from django.test.testcases import TransactionTestCase
 from django.test.utils import override_settings
+from django.test.client import RequestFactory
 
 from social.apps.django_app.default.models import UserSocialAuth
 
@@ -1269,7 +1270,9 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, ApiTestCase):
         self.assertIn(settings.EDXMKTG_USER_INFO_COOKIE_NAME, self.client.cookies)
 
         user = User.objects.get(username=self.USERNAME)
-        account_settings = get_account_settings(user)
+        request = RequestFactory().get('/url')
+        request.user = user
+        account_settings = get_account_settings(request)
 
         self.assertEqual(self.USERNAME, account_settings["username"])
         self.assertEqual(self.EMAIL, account_settings["email"])
@@ -1307,7 +1310,10 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, ApiTestCase):
 
         # Verify the user's account
         user = User.objects.get(username=self.USERNAME)
-        account_settings = get_account_settings(user)
+        request = RequestFactory().get('/url')
+        request.user = user
+        account_settings = get_account_settings(request)
+
         self.assertEqual(account_settings["level_of_education"], self.EDUCATION)
         self.assertEqual(account_settings["mailing_address"], self.ADDRESS)
         self.assertEqual(account_settings["year_of_birth"], int(self.YEAR_OF_BIRTH))