Merge pull request #16522 from edx/efischer/EDU-1724

Move library creator checks to POST-only

Merge pull request #16522 from edx/efischer/EDU-1724
Move library creator checks to POST-only
fae15376 · Eric Fischer · GitHub · d0250baa · a0986662 · fae15376
Unverified Commit fae15376 authored Dec 04, 2017 by Eric Fischer Committed by GitHub Dec 04, 2017
Show whitespace changes
Inline Side-by-side

Showing with 22 additions and 5 deletions

cms/djangoapps/contentstore/views/library.py
+4 -5

cms/djangoapps/contentstore/views/tests/test_library.py
+18 -0

No files found.
--- a/cms/djangoapps/contentstore/views/library.py
+++ b/cms/djangoapps/contentstore/views/library.py
@@ -58,7 +58,7 @@ def get_library_creator_status(user):
    elif settings.FEATURES.get('ENABLE_CREATOR_GROUP', False):
        return get_course_creator_status(user) == 'granted'
    else:
-        return True
+        return not settings.FEATURES.get('DISABLE_COURSE_CREATION', False)


 @login_required
@@ -72,17 +72,16 @@ def library_handler(request, library_key_string=None):
        log.exception("Attempted to use the content library API when the libraries feature is disabled.")
        raise Http404  # Should never happen because we test the feature in urls.py also

+    if request.method == 'POST':
        if not get_library_creator_status(request.user):
-        if not request.user.is_staff:
            return HttpResponseForbidden()

-    if library_key_string is not None and request.method == 'POST':
+        if library_key_string is not None:
            return HttpResponseNotAllowed(("POST",))

-    if request.method == 'POST':
        return _create_library(request)

-    # request method is get, since only GET and POST are allowed by @require_http_methods(('GET', 'POST'))
+    else:
        if library_key_string:
            return _display_library(library_key_string, request)


--- a/cms/djangoapps/contentstore/views/tests/test_library.py
+++ b/cms/djangoapps/contentstore/views/tests/test_library.py
@@ -28,6 +28,7 @@ def make_url_for_lib(key):


 @ddt.ddt
+@mock.patch.dict('django.conf.settings.FEATURES', {'DISABLE_COURSE_CREATION': False})
 class UnitTestLibraries(CourseTestCase):
    """
    Unit tests for library views
@@ -63,6 +64,23 @@ class UnitTestLibraries(CourseTestCase):
        _, nostaff_user = self.create_non_staff_authed_user_client()
        self.assertEqual(get_library_creator_status(nostaff_user), True)

+    @mock.patch.dict('django.conf.settings.FEATURES', {'DISABLE_COURSE_CREATION': True})
+    @mock.patch("contentstore.views.library.LIBRARIES_ENABLED", True)
+    def test_library_creator_status_with_no_course_creator_role_and_disabled_nonstaff_course_creation(self):
+        """
+        Ensure that `DISABLE_COURSE_CREATION` feature works with libraries as well.
+        """
+        nostaff_client, nostaff_user = self.create_non_staff_authed_user_client()
+        self.assertFalse(get_library_creator_status(nostaff_user))
+
+        # To be explicit, this user can GET, but not POST
+        get_response = nostaff_client.get_json(LIBRARY_REST_URL)
+        post_response = nostaff_client.ajax_post(LIBRARY_REST_URL, {
+            'org': 'org', 'library': 'lib', 'display_name': "New Library",
+        })
+        self.assertEqual(get_response.status_code, 200)
+        self.assertEqual(post_response.status_code, 403)
+
    @patch("contentstore.views.library.LIBRARIES_ENABLED", False)
    def test_with_libraries_disabled(self):
        """