Fix access control for impersonation case

- only relevant in tests due to start dates - still irritatingly intricate logic...

Fix access control for impersonation case
- only relevant in tests due to start dates - still irritatingly intricate logic...
7a6fa1dd · Victor Shnayder · b8659e08 · 7a6fa1dd
Commit 7a6fa1dd authored Aug 24, 2012 by Victor Shnayder
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

lms/djangoapps/courseware/module_render.py
+6 -3

No files found.
--- a/lms/djangoapps/courseware/module_render.py
+++ b/lms/djangoapps/courseware/module_render.py
@@ -143,8 +143,9 @@ def get_module(user, request, location, student_module_cache, course_id, positio
    exists.

    Arguments:
-      - user                  : current django User
-      - request               : current django HTTPrequest
+      - user                  : User for whom we're getting the module
+      - request               : current django HTTPrequest -- used in particular for auth
+                                (This is important e.g. for prof impersonation of students in progress view)
      - location              : A Location-like object identifying the module to load
      - student_module_cache  : a StudentModuleCache
      - course_id             : the course_id in the context of which to load module
@@ -170,7 +171,9 @@ def _get_module(user, request, location, student_module_cache, course_id, positi
    descriptor = modulestore().get_instance(course_id, location)

    # Short circuit--if the user shouldn't have access, bail without doing any work
-    if not has_access(user, descriptor, 'load'):
+    # NOTE: Do access check on request.user -- that's who actually needs access (e.g. could be prof
+    # impersonating a user)
+    if not has_access(request.user, descriptor, 'load'):
        return None

    #TODO Only check the cache if this module can possibly have state