Merge pull request #924 from MITx/fix/cdodge/manage-users

fix 403 error when editors visit page (make read only). Don't allow user...

Merge pull request #924 from MITx/fix/cdodge/manage-users
fix 403 error when editors visit page (make read only). Don't allow user...
b91f1886 · chrisndodge · 908a25d2 · ed2febe4 · b91f1886 · b91f1886
Commit b91f1886 authored Oct 16, 2012 by chrisndodge
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 3 deletions

cms/djangoapps/contentstore/views.py
+4 -2

cms/templates/manage_users.html
+7 -1

No files found.
--- a/cms/djangoapps/contentstore/views.py
+++ b/cms/djangoapps/contentstore/views.py
@@ -732,7 +732,7 @@ This view will return all CMS users who are editors for the specified course
 def manage_users(request, location):
    # check that logged in user has permissions to this item
-    if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME):
+    if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME) and not has_access(request.user, location, role=EDITOR_ROLE_NAME):
        raise PermissionDenied()
    course_module = modulestore().get_item(location)
@@ -742,7 +742,9 @@ def manage_users(request, location):
        'context_course': course_module,
        'staff': get_users_in_course_group_by_role(location, STAFF_ROLE_NAME),
        'add_user_postback_url' : reverse('add_user', args=[location]).rstrip('/'),
-        'remove_user_postback_url' : reverse('remove_user', args=[location]).rstrip('/')
+        'remove_user_postback_url' : reverse('remove_user', args=[location]).rstrip('/'),
+        'allow_actions' : has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME),
+        'request_user_id' : request.user.id
    })

--- a/cms/templates/manage_users.html
+++ b/cms/templates/manage_users.html
@@ -16,20 +16,26 @@
          <span class="plus-icon"></span>New User
        </a>
      </div>
+      %if allow_actions:
      <div class="new-user-form">
        <label>email: </label><input type="text" id="email" class="email-input" autocomplete="off" placeholder="email@example.com">
        <a href="#" id="add_user" class="add-button">save</a>
        <a href="#" class="cancel-button">cancel</a>
      </div>
+      %endif
      <div>
        <ol class="user-list">
          % for user in staff:
          <li>
            <span class="user-name">${user.username}</span>
            <span class="user-email">${user.email}</span>
+            %if allow_actions :
            <div class="item-actions">
-              <a href="#" class="delete-button"><span class="delete-icon"></span></a>
+              %if request_user_id != user.id:
+              <a href="#" class="delete-button remove-user" data-id="${user.email}"><span class="delete-icon"></span></a>
+              %endif
            </div>
+            %endif
          </li>
          % endfor
        </ol>