Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
E
edx-platform
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
edx
edx-platform
Commits
a0986662
Commit
a0986662
authored
Nov 29, 2017
by
Eric Fischer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Move library creator checks to POST-only
parent
cb463c0d
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
16 additions
and
11 deletions
+16
-11
cms/djangoapps/contentstore/views/library.py
+8
-9
cms/djangoapps/contentstore/views/tests/test_library.py
+8
-2
No files found.
cms/djangoapps/contentstore/views/library.py
View file @
a0986662
...
...
@@ -72,21 +72,20 @@ def library_handler(request, library_key_string=None):
log
.
exception
(
"Attempted to use the content library API when the libraries feature is disabled."
)
raise
Http404
# Should never happen because we test the feature in urls.py also
if
not
get_library_creator_status
(
request
.
user
)
:
if
not
request
.
user
.
is_staff
:
if
request
.
method
==
'POST'
:
if
not
get_library_creator_status
(
request
.
user
)
:
return
HttpResponseForbidden
()
if
library_key_string
is
not
None
and
request
.
method
==
'POST'
:
return
HttpResponseNotAllowed
((
"POST"
,))
if
library_key_string
is
not
None
:
return
HttpResponseNotAllowed
((
"POST"
,))
if
request
.
method
==
'POST'
:
return
_create_library
(
request
)
# request method is get, since only GET and POST are allowed by @require_http_methods(('GET', 'POST'))
if
library_key_string
:
return
_display_library
(
library_key_string
,
request
)
else
:
if
library_key_string
:
return
_display_library
(
library_key_string
,
request
)
return
_list_libraries
(
request
)
return
_list_libraries
(
request
)
def
_display_library
(
library_key_string
,
request
):
...
...
cms/djangoapps/contentstore/views/tests/test_library.py
View file @
a0986662
...
...
@@ -72,8 +72,14 @@ class UnitTestLibraries(CourseTestCase):
"""
nostaff_client
,
nostaff_user
=
self
.
create_non_staff_authed_user_client
()
self
.
assertFalse
(
get_library_creator_status
(
nostaff_user
))
response
=
nostaff_client
.
get_json
(
LIBRARY_REST_URL
)
self
.
assertEqual
(
response
.
status_code
,
200
)
# To be explicit, this user can GET, but not POST
get_response
=
nostaff_client
.
get_json
(
LIBRARY_REST_URL
)
post_response
=
nostaff_client
.
ajax_post
(
LIBRARY_REST_URL
,
{
'org'
:
'org'
,
'library'
:
'lib'
,
'display_name'
:
"New Library"
,
})
self
.
assertEqual
(
get_response
.
status_code
,
200
)
self
.
assertEqual
(
post_response
.
status_code
,
403
)
@patch
(
"contentstore.views.library.LIBRARIES_ENABLED"
,
False
)
def
test_with_libraries_disabled
(
self
):
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
