Commit b91f1886 by chrisndodge

Merge pull request #924 from MITx/fix/cdodge/manage-users

fix 403 error when editors visit page (make read only). Don't allow user...
parents 908a25d2 ed2febe4
...@@ -732,7 +732,7 @@ This view will return all CMS users who are editors for the specified course ...@@ -732,7 +732,7 @@ This view will return all CMS users who are editors for the specified course
def manage_users(request, location): def manage_users(request, location):
# check that logged in user has permissions to this item # check that logged in user has permissions to this item
if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME): if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME) and not has_access(request.user, location, role=EDITOR_ROLE_NAME):
raise PermissionDenied() raise PermissionDenied()
course_module = modulestore().get_item(location) course_module = modulestore().get_item(location)
...@@ -742,7 +742,9 @@ def manage_users(request, location): ...@@ -742,7 +742,9 @@ def manage_users(request, location):
'context_course': course_module, 'context_course': course_module,
'staff': get_users_in_course_group_by_role(location, STAFF_ROLE_NAME), 'staff': get_users_in_course_group_by_role(location, STAFF_ROLE_NAME),
'add_user_postback_url' : reverse('add_user', args=[location]).rstrip('/'), 'add_user_postback_url' : reverse('add_user', args=[location]).rstrip('/'),
'remove_user_postback_url' : reverse('remove_user', args=[location]).rstrip('/') 'remove_user_postback_url' : reverse('remove_user', args=[location]).rstrip('/'),
'allow_actions' : has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME),
'request_user_id' : request.user.id
}) })
......
...@@ -16,20 +16,26 @@ ...@@ -16,20 +16,26 @@
<span class="plus-icon"></span>New User <span class="plus-icon"></span>New User
</a> </a>
</div> </div>
%if allow_actions:
<div class="new-user-form"> <div class="new-user-form">
<label>email: </label><input type="text" id="email" class="email-input" autocomplete="off" placeholder="email@example.com"> <label>email: </label><input type="text" id="email" class="email-input" autocomplete="off" placeholder="email@example.com">
<a href="#" id="add_user" class="add-button">save</a> <a href="#" id="add_user" class="add-button">save</a>
<a href="#" class="cancel-button">cancel</a> <a href="#" class="cancel-button">cancel</a>
</div> </div>
%endif
<div> <div>
<ol class="user-list"> <ol class="user-list">
% for user in staff: % for user in staff:
<li> <li>
<span class="user-name">${user.username}</span> <span class="user-name">${user.username}</span>
<span class="user-email">${user.email}</span> <span class="user-email">${user.email}</span>
%if allow_actions :
<div class="item-actions"> <div class="item-actions">
<a href="#" class="delete-button"><span class="delete-icon"></span></a> %if request_user_id != user.id:
<a href="#" class="delete-button remove-user" data-id="${user.email}"><span class="delete-icon"></span></a>
%endif
</div> </div>
%endif
</li> </li>
% endfor % endfor
</ol> </ol>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment