def see_exists():
"""
Can see if can enroll, but also if can load it: if user enrolled in a course and now
it's past the enrollment period, they should still see it.
"""
# VS[compat] -- this setting should go away once all courses have
# properly configured enrollment_start times (if course should be
# staff-only, set enrollment_start far in the future.)
if settings.FEATURES.get('ACCESS_REQUIRE_STAFF_FOR_COURSE'):
dog_stats_api.increment(
DEPRECATION_VSCOMPAT_EVENT,
tags=(
"location:has_access_course_desc_see_exists",
u"course:{}".format(course),
)
)
# if this feature is on, only allow courses that have ispublic set to be
# seen by non-staff
if course.ispublic:
debug("Allow: ACCESS_REQUIRE_STAFF_FOR_COURSE and ispublic")
return ACCESS_GRANTED
return _has_staff_access_to_descriptor(user, course, course.id)
return ACCESS_GRANTED if (can_enroll() or can_load()) else ACCESS_DENIED
def see_exists():
"""
Can see if can enroll, but also if can load it: if user enrolled in a course and now
it's past the enrollment period, they should still see it.
"""
# VS[compat] -- this setting should go away once all courses have
# properly configured enrollment_start times (if course should be
# staff-only, set enrollment_start far in the future.)
if settings.FEATURES.get('ACCESS_REQUIRE_STAFF_FOR_COURSE'):
dog_stats_api.increment(
DEPRECATION_VSCOMPAT_EVENT,
tags=(
"location:has_access_course_desc_see_exists",
u"course:{}".format(course),
))
# if this feature is on, only allow courses that have ispublic set to be
# seen by non-staff
if course.ispublic:
debug("Allow: ACCESS_REQUIRE_STAFF_FOR_COURSE and ispublic")
return ACCESS_GRANTED
return _has_staff_access_to_descriptor(user, course, course.id)
return ACCESS_GRANTED if (can_enroll()
or can_load()) else ACCESS_DENIED
def check_staff():
"""
Checks for staff access
"""
if perm != 'global':
debug("Deny: invalid permission '%s'", perm)
return ACCESS_DENIED
return ACCESS_GRANTED if GlobalStaff().has_user(user) else ACCESS_DENIED
def _can_access_descriptor_with_milestones(user, descriptor, course_key):
"""
Returns if the object is blocked by an unfulfilled milestone.
Args:
user: the user trying to access this content
descriptor: the object being accessed
course_key: key for the course for this descriptor
"""
if milestones_helpers.get_course_content_milestones(course_key, unicode(descriptor.location), 'requires', user.id):
debug("Deny: user has not completed all milestones for content")
return ACCESS_DENIED
else:
return ACCESS_GRANTED
def _can_enroll_courselike(user, courselike):
"""
Ascertain if the user can enroll in the given courselike object.
Arguments:
user (User): The user attempting to enroll.
courselike (CourseDescriptor or CourseOverview): The object representing the
course in which the user is trying to enroll.
Returns:
AccessResponse, indicating whether the user can enroll.
"""
enrollment_domain = courselike.enrollment_domain
# Courselike objects (e.g., course descriptors and CourseOverviews) have an attribute named `id`
# which actually points to a CourseKey. Sigh.
course_key = courselike.id
# If using a registration method to restrict enrollment (e.g., Shibboleth)
if settings.FEATURES.get('RESTRICT_ENROLL_BY_REG_METHOD') and enrollment_domain:
if user is not None and user.is_authenticated() and \
ExternalAuthMap.objects.filter(user=user, external_domain=enrollment_domain):
debug("Allow: external_auth of " + enrollment_domain)
reg_method_ok = True
else:
reg_method_ok = False
else:
reg_method_ok = True
# If the user appears in CourseEnrollmentAllowed paired with the given course key,
# they may enroll, except if the CEA has already been used by a different user.
# Note that as dictated by the legacy database schema, the filter call includes
# a `course_id` kwarg which requires a CourseKey.
if user is not None and user.is_authenticated():
cea = CourseEnrollmentAllowed.objects.filter(email=user.email, course_id=course_key).first()
if cea and cea.valid_for_user(user):
return ACCESS_GRANTED
elif cea:
debug("Deny: CEA was already consumed by a different user {} and can't be used again by {}".format(
cea.user.id,
user.id,
))
return ACCESS_DENIED
if _has_staff_access_to_descriptor(user, courselike, course_key):
return ACCESS_GRANTED
if courselike.invitation_only:
debug("Deny: invitation only")
return ACCESS_DENIED
now = datetime.now(UTC)
enrollment_start = courselike.enrollment_start or datetime.min.replace(tzinfo=UTC)
enrollment_end = courselike.enrollment_end or datetime.max.replace(tzinfo=UTC)
if reg_method_ok and enrollment_start < now < enrollment_end:
debug("Allow: in enrollment period")
return ACCESS_GRANTED
return ACCESS_DENIED
def _dispatch(table, action, user, obj):
"""
Helper: call table[action], raising a nice pretty error if there is no such key.
user and object passed in only for error messages and debugging
"""
if action in table:
result = table[action]()
debug(u"%s user %s, object %s, action %s",
'ALLOWED' if result else 'DENIED', user,
text_type(obj.location) if isinstance(obj, XBlock) else str(obj),
action)
return result
raise ValueError(u"Unknown action for object type '{0}': '{1}'".format(
type(obj), action))
def _dispatch(table, action, user, obj):
"""
Helper: call table[action], raising a nice pretty error if there is no such key.
user and object passed in only for error messages and debugging
"""
if action in table:
result = table[action]()
debug("%s user %s, object %s, action %s",
'ALLOWED' if result else 'DENIED',
user,
text_type(obj.location) if isinstance(obj, XBlock) else str(obj),
action)
return result
raise ValueError(u"Unknown action for object type '{0}': '{1}'".format(
type(obj), action))
def _has_access_to_course(user, access_level, course_key):
"""
Returns True if the given user has access_level (= staff or
instructor) access to the course with the given course_key.
This ensures the user is authenticated and checks if global staff or has
staff / instructor access.
access_level = string, either "staff" or "instructor"
"""
if user is None or (not user.is_authenticated()):
debug("Deny: no user or anon user")
return ACCESS_DENIED
if is_masquerading_as_student(user, course_key):
return ACCESS_DENIED
global_staff, staff_access, instructor_access = administrative_accesses_to_course_for_user(user, course_key)
if global_staff:
debug("Allow: user.is_staff")
return ACCESS_GRANTED
if access_level not in ('staff', 'instructor'):
log.debug("Error in access._has_access_to_course access_level=%s unknown", access_level)
debug("Deny: unknown access level")
return ACCESS_DENIED
if staff_access and access_level == 'staff':
debug("Allow: user has course staff access")
return ACCESS_GRANTED
if instructor_access and access_level in ('staff', 'instructor'):
debug("Allow: user has course instructor access")
return ACCESS_GRANTED
debug("Deny: user did not have correct access")
return ACCESS_DENIED
def _has_access_to_course(user, access_level, course_key):
"""
Returns True if the given user has access_level (= staff or
instructor) access to the course with the given course_key.
This ensures the user is authenticated and checks if global staff or has
staff / instructor access.
access_level = string, either "staff" or "instructor"
"""
if user is None or (not user.is_authenticated()):
debug("Deny: no user or anon user")
return ACCESS_DENIED
if not in_preview_mode() and is_masquerading_as_student(user, course_key):
return ACCESS_DENIED
if GlobalStaff().has_user(user):
debug("Allow: user.is_staff")
return ACCESS_GRANTED
if access_level not in ('staff', 'instructor'):
log.debug("Error in access._has_access_to_course access_level=%s unknown", access_level)
debug("Deny: unknown access level")
return ACCESS_DENIED
staff_access = (
CourseStaffRole(course_key).has_user(user) or
OrgStaffRole(course_key.org).has_user(user)
)
if staff_access and access_level == 'staff':
debug("Allow: user has course staff access")
return ACCESS_GRANTED
instructor_access = (
CourseInstructorRole(course_key).has_user(user) or
OrgInstructorRole(course_key.org).has_user(user)
)
if instructor_access and access_level in ('staff', 'instructor'):
debug("Allow: user has course instructor access")
return ACCESS_GRANTED
debug("Deny: user did not have correct access")
return ACCESS_DENIED
def _has_access_to_course(user, access_level, course_key):
"""
Returns True if the given user has access_level (= staff or
instructor) access to the course with the given course_key.
This ensures the user is authenticated and checks if global staff or has
staff / instructor access.
access_level = string, either "staff" or "instructor"
"""
if user is None or (not user.is_authenticated()):
debug("Deny: no user or anon user")
return ACCESS_DENIED
if is_masquerading_as_student(user, course_key):
return ACCESS_DENIED
global_staff, staff_access, instructor_access = administrative_accesses_to_course_for_user(
user, course_key)
if global_staff:
debug("Allow: user.is_staff")
return ACCESS_GRANTED
if access_level not in ('staff', 'instructor'):
log.debug(
"Error in access._has_access_to_course access_level=%s unknown",
access_level)
debug("Deny: unknown access level")
return ACCESS_DENIED
org_user = OrganizationUser.objects.filter(
active=True, organization__short_name=course_key.org,
user_id=user.id).values().first()
staff_access = (CourseStaffRole(course_key).has_user(user)
or OrgStaffRole(course_key.org).has_user(user)
or (org_user and org_user['is_staff']))
if staff_access and access_level == 'staff':
debug("Allow: user has course staff access")
return ACCESS_GRANTED
if instructor_access and access_level in ('staff', 'instructor'):
debug("Allow: user has course instructor access")
return ACCESS_GRANTED
debug("Deny: user did not have correct access")
return ACCESS_DENIED
def _has_access_to_course(user, access_level, course_key):
"""
Returns True if the given user has access_level (= staff or
instructor) access to the course with the given course_key.
This ensures the user is authenticated and checks if global staff or has
staff / instructor access.
access_level = string, either "staff" or "instructor"
"""
if user is None or (not user.is_authenticated()):
debug("Deny: no user or anon user")
return ACCESS_DENIED
if not in_preview_mode() and is_masquerading_as_student(user, course_key):
return ACCESS_DENIED
if GlobalStaff().has_user(user):
debug("Allow: user.is_staff")
return ACCESS_GRANTED
if access_level not in ('staff', 'instructor'):
log.debug("Error in access._has_access_to_course access_level=%s unknown", access_level)
debug("Deny: unknown access level")
return ACCESS_DENIED
staff_access = (
CourseStaffRole(course_key).has_user(user) or
OrgStaffRole(course_key.org).has_user(user)
)
if staff_access and access_level == 'staff':
debug("Allow: user has course staff access")
return ACCESS_GRANTED
instructor_access = (
CourseInstructorRole(course_key).has_user(user) or
OrgInstructorRole(course_key.org).has_user(user)
)
if instructor_access and access_level in ('staff', 'instructor'):
debug("Allow: user has course instructor access")
return ACCESS_GRANTED
debug("Deny: user did not have correct access")
return ACCESS_DENIED
