Do not allow students to pin/unpin forum threads

The wrong permission was being checked for pinning/unpinning, so a sufficiently clever student could pin and unpin threads. JIRA: FOR-499

Do not allow students to pin/unpin forum threads
The wrong permission was being checked for pinning/unpinning, so a sufficiently clever student could pin and unpin threads. JIRA: FOR-499
f56de914 · Greg Price · 14d03784 · f56de914 · f56de914 · f56de914
Commit f56de914 authored Mar 12, 2014 by Greg Price
Hide whitespace changes
Inline Side-by-side

Showing with 53 additions and 2 deletions

lms/djangoapps/django_comment_client/base/tests.py
+48 -0

lms/djangoapps/django_comment_client/base/views.py
+3 -0

lms/djangoapps/django_comment_client/permissions.py
+2 -2

No files found.
--- a/lms/djangoapps/django_comment_client/base/tests.py
+++ b/lms/djangoapps/django_comment_client/base/tests.py
@@ -10,6 +10,7 @@ from xmodule.modulestore.tests.django_utils import ModuleStoreTestCase
 from django.core.urlresolvers import reverse
 from django.core.management import call_command
 from util.testing import UrlResetMixin
+from django_comment_common.models import Role
 from django_comment_common.utils import seed_permissions_roles
 from django_comment_client.base import views
 from django_comment_client.tests.unicode import UnicodeTestMixin
@@ -519,6 +520,53 @@ class ViewsTestCase(UrlResetMixin, ModuleStoreTestCase):
        assert_equal(response.status_code, 200)
+@patch("lms.lib.comment_client.utils.requests.request")
+@override_settings(MODULESTORE=TEST_DATA_MIXED_MODULESTORE)
+class ViewPermissionsTestCase(UrlResetMixin, ModuleStoreTestCase):
+    @patch.dict("django.conf.settings.FEATURES", {"ENABLE_DISCUSSION_SERVICE": True})
+    def setUp(self):
+        super(ViewPermissionsTestCase, self).setUp()
+        self.password = "test password"
+        self.course = CourseFactory.create()
+        seed_permissions_roles(self.course.id)
+        self.student = UserFactory.create(password=self.password)
+        self.moderator = UserFactory.create(password=self.password)
+        CourseEnrollmentFactory(user=self.student, course_id=self.course.id)
+        CourseEnrollmentFactory(user=self.moderator, course_id=self.course.id)
+        self.moderator.roles.add(Role.objects.get(name="Moderator", course_id=self.course.id))
+    def test_pin_thread_as_student(self, mock_request):
+        mock_request.return_value.text = "{}"
+        self.client.login(username=self.student.username, password=self.password)
+        response = self.client.post(
+            reverse("pin_thread", kwargs={"course_id": self.course.id, "thread_id": "dummy"})
+        )
+        self.assertEqual(response.status_code, 401)
+    def test_pin_thread_as_moderator(self, mock_request):
+        mock_request.return_value.text = "{}"
+        self.client.login(username=self.moderator.username, password=self.password)
+        response = self.client.post(
+            reverse("pin_thread", kwargs={"course_id": self.course.id, "thread_id": "dummy"})
+        )
+        self.assertEqual(response.status_code, 200)
+    def test_un_pin_thread_as_student(self, mock_request):
+        mock_request.return_value.text = "{}"
+        self.client.login(username=self.student.username, password=self.password)
+        response = self.client.post(
+            reverse("un_pin_thread", kwargs={"course_id": self.course.id, "thread_id": "dummy"})
+        )
+        self.assertEqual(response.status_code, 401)
+    def test_un_pin_thread_as_moderator(self, mock_request):
+        mock_request.return_value.text = "{}"
+        self.client.login(username=self.moderator.username, password=self.password)
+        response = self.client.post(
+            reverse("un_pin_thread", kwargs={"course_id": self.course.id, "thread_id": "dummy"})
+        )
+        self.assertEqual(response.status_code, 200)
 @override_settings(MODULESTORE=TEST_DATA_MIXED_MODULESTORE)
 class CreateThreadUnicodeTestCase(ModuleStoreTestCase, UnicodeTestMixin):

--- a/lms/djangoapps/django_comment_client/base/views.py
+++ b/lms/djangoapps/django_comment_client/base/views.py
@@ -431,6 +431,9 @@ def pin_thread(request, course_id, thread_id):
    return JsonResponse(utils.safe_content(thread.to_dict()))
+@require_POST
+@login_required
+@permitted
 def un_pin_thread(request, course_id, thread_id):
    """
    given a course id and thread id, remove pin from this thread

--- a/lms/djangoapps/django_comment_client/permissions.py
+++ b/lms/djangoapps/django_comment_client/permissions.py
@@ -94,8 +94,8 @@ VIEW_PERMISSIONS = {
    'flag_abuse_for_comment': [['vote', 'is_open']],
    'un_flag_abuse_for_comment': [['vote', 'is_open']],
    'undo_vote_for_thread': [['unvote', 'is_open']],
-    'pin_thread': ['create_comment'],
+    'pin_thread': ['openclose_thread'],
-    'un_pin_thread': ['create_comment'],
+    'un_pin_thread': ['openclose_thread'],
    'follow_thread': ['follow_thread'],
    'follow_commentable': ['follow_commentable'],
    'follow_user': ['follow_user'],