add distinct 'admin' role separate from 'editors'. Only 'admins' should be able…

add distinct 'admin' role separate from 'editors'. Only 'admins' should be able to add/remove editors.

cms/djangoapps/auth/authz.py

@@ -2,9 +2,14 @@ import logging
 import sys
 
 from django.contrib.auth.models import User, Group
+from django.core.exceptions import PermissionDenied
 
 from xmodule.modulestore import Location
 
+# define a couple of simple roles, we just need ADMIN and EDITOR now for our purposes
+ADMIN_ROLE_NAME = 'admin'
+EDITOR_ROLE_NAME = 'editor'
+
 # we're just making a Django group for each location/role combo
 # to do this we're just creating a Group name which is a formatted string
 # of those two variables
@@ -19,26 +24,45 @@ def get_users_in_course_group_by_role(location, role):
     return group.user_set.all()
 
 
+'''
+Create all permission groups for a new course and subscribe the caller into those roles
+'''
+def create_all_course_groups(creator, location):
+    create_new_course_group(creator, location, ADMIN_GROUP_NAME)
+    create_new_course_group(creator, location, EDITOR_GROUP_NAME)
+
+
+def create_new_course_group(creator, location, role):
+    groupname = get_course_groupname_for_role(location, role)
+    (group, created) =Group.get_or_create(name=groupname)
+    if created:
+        group.save()
+
+    creator.groups.add(group)
+    creator.save()
+
+    return
+
+
 def add_user_to_course_group(caller, user, location, role):
-    # @todo: make sure caller has 'admin' permissions in the course
+    # only admins can add/remove other users
+    if not is_user_in_course_group_role(caller, location, ADMIN_ROLE_NAME):
+        raise PermissionDenied
+
     if user.is_active and user.is_authenticated:
         groupname = get_course_groupname_for_role(location, role)
 
-        # see if the group exists, or create if new
-        (group, created) = Group.objects.get_or_create(name=groupname)
-        if created:
-            # if newly created, then we have to save it
-            group.save()
-
+        group = Group.objects.get(name=groupname)
         user.groups.add(group)
         user.save()
         return True
 
     return False
 
+
 def get_user_by_email(email):
     user = None
-    # try to look up user
+    # try to look up user, return None if not found
     try:
         user = User.objects.get(email=email)
     except:
@@ -48,17 +72,17 @@ def get_user_by_email(email):
 
 
 def remove_user_from_course_group(caller, user, location, role):
-    # @todo: make sure caller has 'admin' permissions in the course
+    # only admins can add/remove other users
+    if not is_user_in_course_group_role(caller, location, ADMIN_ROLE_NAME):
+        raise PermissionDenied
 
+    # see if the user is actually in that role, if not then we don't have to do anything
     if is_user_in_course_group_role(user, location, role) == True:
         groupname = get_course_groupname_for_role(location, role)
 
-        # make sure the group actually exists
         group = Group.objects.get(name=groupname)
-    
-        if group is not None:
-            user.groups.remove(group)
-            user.save()
+        user.groups.remove(group)
+        user.save()
 
 
 def is_user_in_course_group_role(user, location, role):

cms/djangoapps/contentstore/views.py

@@ -40,7 +40,7 @@ from xmodule.contentstore.content import StaticContent
 
 from cache_toolbox.core import set_cached_content, get_cached_content, del_cached_content
 from auth.authz import is_user_in_course_group_role, get_users_in_course_group_by_role
-from auth.authz import get_user_by_email, add_user_to_course_group
+from auth.authz import get_user_by_email, add_user_to_course_group, ADMIN_ROLE_NAME, EDITOR_ROLE_NAME
 from .utils import get_course_location_for_item
 
 log = logging.getLogger(__name__)
@@ -91,7 +91,7 @@ def index(request):
 
 # ==== Views with per-item permissions================================
 
-def has_access(user, location, role='editor'):
+def has_access(user, location, role=EDITOR_ROLE_NAME):
     '''Return True if user allowed to access this piece of data'''
     '''Note that the CMS permissions model is with respect to courses'''
     return is_user_in_course_group_role(user, get_course_location_for_item(location), role)
@@ -535,11 +535,11 @@ def manage_users(request, org, course, name):
     location = ['i4x', org, course, 'course', name]
     
     # check that logged in user has permissions to this item
-    if not has_access(request.user, location):
+    if not has_access(request.user, location, role=ADMIN_ROLE_NAME):
         raise PermissionDenied()
 
     return render_to_response('manage_users.html', {
-        'editors': get_users_in_course_group_by_role(location, 'editor')
+        'editors': get_users_in_course_group_by_role(location, EDITOR_ROLE_NAME)
     })
     
 
@@ -565,8 +565,8 @@ def add_user(request, org, course, name):
 
     location = ['i4x', org, course, 'course', name]
     
-    # check that logged in user has permissions to this item
-    if not has_access(request.user, location):
+    # check that logged in user has admin permissions to this course
+    if not has_access(request.user, location, role=ADMIN_ROLE_NAME):
         raise PermissionDenied()
     
     user = get_user_by_email(email)
@@ -580,7 +580,7 @@ def add_user(request, org, course, name):
         return create_json_response('User {0} has registered but has not yet activated his/her account.'.format(email))
 
     # ok, we're cool to add to the course group
-    add_user_to_course_group(request.user, user, location, 'editor')
+    add_user_to_course_group(request.user, user, location, EDITOR_ROLE_NAME)
 
     return create_json_response()
 
@@ -595,13 +595,13 @@ def remove_user(request, org, course, name):
 
     location = ['i4x', org, course, 'course', name]
     
-    # check that logged in user has permissions to this item
-    if not has_access(request.user, location):
+    # check that logged in user has admin permissions on this course
+    if not has_access(request.user, location, role=ADMIN_ROLE_NAME):
         raise PermissionDenied()
     
     user = get_user_by_email(email)
     if user is not None:
-        remove_user_from_course_group(request.user, user, location, 'editor')
+        remove_user_from_course_group(request.user, user, location, EDITOR_ROLE_NAME)
 
     return create_json_response()