fix 403 error when editors visit page (make read only). Don't allow user to…

fix 403 error when editors visit page (make read only). Don't allow user to remove him/herself. Rewire up the remove user callback.

fix 403 error when editors visit page (make read only). Don't allow user to…
fix 403 error when editors visit page (make read only). Don't allow user to remove him/herself. Rewire up the remove user callback.
ed2febe4 · Chris Dodge · 3d67c960 · ed2febe4 · ed2febe4
Commit ed2febe4 authored Oct 16, 2012 by Chris Dodge
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 3 deletions

cms/djangoapps/contentstore/views.py
+4 -2

cms/templates/manage_users.html
+7 -1

No files found.
--- a/cms/djangoapps/contentstore/views.py
+++ b/cms/djangoapps/contentstore/views.py
@@ -731,7 +731,7 @@ This view will return all CMS users who are editors for the specified course
 def manage_users(request, location):
    # check that logged in user has permissions to this item
-    if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME):
+    if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME) and not has_access(request.user, location, role=EDITOR_ROLE_NAME):
        raise PermissionDenied()
    course_module = modulestore().get_item(location)
@@ -741,7 +741,9 @@ def manage_users(request, location):
        'context_course': course_module,
        'staff': get_users_in_course_group_by_role(location, STAFF_ROLE_NAME),
        'add_user_postback_url' : reverse('add_user', args=[location]).rstrip('/'),
-        'remove_user_postback_url' : reverse('remove_user', args=[location]).rstrip('/')
+        'remove_user_postback_url' : reverse('remove_user', args=[location]).rstrip('/'),
+        'allow_actions' : has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME),
+        'request_user_id' : request.user.id
    })

--- a/cms/templates/manage_users.html
+++ b/cms/templates/manage_users.html
@@ -16,20 +16,26 @@
          <span class="plus-icon"></span>New User
        </a>
      </div>
+      %if allow_actions:
      <div class="new-user-form">
        <label>email: </label><input type="text" id="email" class="email-input" autocomplete="off" placeholder="email@example.com">
        <a href="#" id="add_user" class="add-button">save</a>
        <a href="#" class="cancel-button">cancel</a>
      </div>
+      %endif
      <div>
        <ol class="user-list">
          % for user in staff:
          <li>
            <span class="user-name">${user.username}</span>
            <span class="user-email">${user.email}</span>
+            %if allow_actions :
            <div class="item-actions">
-              <a href="#" class="delete-button"><span class="delete-icon"></span></a>
+              %if request_user_id != user.id:
+              <a href="#" class="delete-button remove-user" data-id="${user.email}"><span class="delete-icon"></span></a>
+              %endif
            </div>
+            %endif
          </li>
          % endfor
        </ol>