def get_user_permissions(user, course_key, org=None):
"""
Get the bitmask of permissions that this user has in the given course context.
Can also set course_key=None and pass in an org to get the user's
permissions for that organization as a whole.
"""
if org is None:
org = course_key.org
course_key = course_key.for_branch(None)
else:
assert course_key is None
# No one has studio permissions for CCX courses
if is_ccx_course(course_key):
return STUDIO_NO_PERMISSIONS
all_perms = STUDIO_EDIT_ROLES | STUDIO_VIEW_USERS | STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT
# global staff, org instructors, and course instructors have all permissions:
if GlobalStaff().has_user(user) or OrgInstructorRole(
org=org).has_user(user):
return all_perms
if course_key and user_has_role(user, CourseInstructorRole(course_key)):
return all_perms
if course_key and user_has_role(user, GlobalCourseCreatorRole(org)):
return all_perms
# Staff have all permissions except EDIT_ROLES:
if OrgStaffRole(org=org).has_user(user) or (course_key and user_has_role(
user, CourseStaffRole(course_key))):
return STUDIO_VIEW_USERS | STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT
# Otherwise, for libraries, users can view only:
if course_key and isinstance(course_key, LibraryLocator):
if OrgLibraryUserRole(org=org).has_user(user) or user_has_role(
user, LibraryUserRole(course_key)):
return STUDIO_VIEW_USERS | STUDIO_VIEW_CONTENT
return STUDIO_NO_PERMISSIONS
def get_user_permissions(user, course_key, org=None):
"""
Get the bitmask of permissions that this user has in the given course context.
Can also set course_key=None and pass in an org to get the user's
permissions for that organization as a whole.
"""
if org is None:
org = course_key.org
course_key = course_key.for_branch(None)
else:
assert course_key is None
# No one has studio permissions for CCX courses
if is_ccx_course(course_key):
return STUDIO_NO_PERMISSIONS
all_perms = STUDIO_EDIT_ROLES | STUDIO_VIEW_USERS | STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT
# global staff, org instructors, and course instructors have all permissions:
if GlobalStaff().has_user(user) or OrgInstructorRole(
org=org).has_user(user):
return all_perms
if course_key and user_has_role(user, CourseInstructorRole(course_key)):
return all_perms
# Staff have all permissions except EDIT_ROLES:
if OrgStaffRole(org=org).has_user(user) or (course_key and user_has_role(
user, CourseStaffRole(course_key))):
return STUDIO_VIEW_USERS | STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT
# Otherwise, for libraries, users can view only:
if course_key and isinstance(course_key, LibraryLocator):
if OrgLibraryUserRole(org=org).has_user(user) or user_has_role(
user, LibraryUserRole(course_key)):
return STUDIO_VIEW_USERS | STUDIO_VIEW_CONTENT
# Finally, check if user is linked directly to the organization:
user_org = OrganizationUser.objects.filter(
active=True, organization__short_name=org,
user_id=user.id).values().first()
if user_org:
if user_org['is_staff']:
return all_perms
else:
return STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT
return STUDIO_NO_PERMISSIONS
def test_read_only_role(self, use_org_level_role):
"""
Test the read-only role (LibraryUserRole and its org-level equivalent)
"""
# As staff user, add a block to self.library:
block = self._add_simple_content_block()
# Login as a non_staff_user:
self._login_as_non_staff_user()
self.assertFalse(self._can_access_library(self.library))
block_url = reverse_usage_url('xblock_handler', block.location)
def can_read_block():
""" Check if studio lets us view the XBlock in the library """
response = self.client.get_json(block_url)
self.assertIn(response.status_code,
(200, 403)) # 400 would be ambiguous
return response.status_code == 200
def can_edit_block():
""" Check if studio lets us edit the XBlock in the library """
response = self.client.ajax_post(block_url)
self.assertIn(response.status_code,
(200, 403)) # 400 would be ambiguous
return response.status_code == 200
def can_delete_block():
""" Check if studio lets us delete the XBlock in the library """
response = self.client.delete(block_url)
self.assertIn(response.status_code,
(200, 403)) # 400 would be ambiguous
return response.status_code == 200
def can_copy_block():
""" Check if studio lets us duplicate the XBlock in the library """
response = self.client.ajax_post(
reverse_url('xblock_handler'), {
'parent_locator': unicode(self.library.location),
'duplicate_source_locator': unicode(block.location),
})
self.assertIn(response.status_code,
(200, 403)) # 400 would be ambiguous
return response.status_code == 200
def can_create_block():
""" Check if studio lets us make a new XBlock in the library """
response = self.client.ajax_post(
reverse_url('xblock_handler'), {
'parent_locator': unicode(self.library.location),
'category': 'html',
})
self.assertIn(response.status_code,
(200, 403)) # 400 would be ambiguous
return response.status_code == 200
# Check that we do not have read or write access to block:
self.assertFalse(can_read_block())
self.assertFalse(can_edit_block())
self.assertFalse(can_delete_block())
self.assertFalse(can_copy_block())
self.assertFalse(can_create_block())
# Give non_staff_user read-only permission:
if use_org_level_role:
OrgLibraryUserRole(self.lib_key.org).add_users(self.non_staff_user)
else:
LibraryUserRole(self.lib_key).add_users(self.non_staff_user)
self.assertTrue(self._can_access_library(self.library))
self.assertTrue(can_read_block())
self.assertFalse(can_edit_block())
self.assertFalse(can_delete_block())
self.assertFalse(can_copy_block())
self.assertFalse(can_create_block())
def set_roles_for_edx_users(user, permissions, strategy):
'''
This function is specific functional for open-edx platform.
It create roles for edx users from sso permissions.
'''
log_message = 'For User: {}, object_type {} and object_id {} there is not matched Role for Permission set: {}'
global_perm = {
'Read', 'Update', 'Delete', 'Publication', 'Enroll',
'Manage(permissions)'
}
staff_perm = {'Read', 'Update', 'Delete', 'Publication', 'Enroll'}
tester_perm = {'Read', 'Enroll'}
role_ids = set(user.courseaccessrole_set.values_list('id', flat=True))
new_role_ids = []
is_global_staff = False
for role in permissions:
_log = False
if role['obj_type'] == '*':
if '*' in role['obj_perm'] or global_perm.issubset(
set(role['obj_perm'])):
GlobalStaff().add_users(user)
is_global_staff = True
elif 'Create' in role['obj_perm']:
if not CourseCreatorRole().has_user(user):
CourseCreatorRole().add_users(user)
car = CourseAccessRole.objects.get(user=user,
role=CourseCreatorRole.ROLE)
new_role_ids.append(car.id)
if role['obj_perm'] != '*' and global_perm != set(
role['obj_perm']) and ['Create'] != role['obj_perm']:
_log = True
elif role['obj_type'] == 'edxorg':
if '*' in role['obj_perm'] or global_perm.issubset(
set(role['obj_perm'])):
if not OrgInstructorRole(role['obj_id']).has_user(user):
OrgInstructorRole(role['obj_id']).add_users(user)
car = CourseAccessRole.objects.get(
user=user,
role=OrgInstructorRole(role['obj_id'])._role_name,
org=role['obj_id'])
new_role_ids.append(car.id)
elif staff_perm.issubset(set(role['obj_perm'])):
if not OrgStaffRole(role['obj_id']).has_user(user):
OrgStaffRole(role['obj_id']).add_users(user)
car = CourseAccessRole.objects.get(
user=user,
role=OrgStaffRole(role['obj_id'])._role_name,
org=role['obj_id'])
new_role_ids.append(car.id)
elif 'Read' in role['obj_perm']:
if not OrgLibraryUserRole(role['obj_id']).has_user(user):
OrgLibraryUserRole(role['obj_id']).add_users(user)
car = CourseAccessRole.objects.get(
user=user,
role=OrgLibraryUserRole.ROLE,
org=role['obj_id'])
new_role_ids.append(car.id)
if role['obj_perm'] != '*' and global_perm != set(role['obj_perm']) and \
staff_perm != set(role['obj_perm']) and 'Read' not in role['obj_perm']:
_log = True
elif role['obj_type'] in ['edxcourse', 'edxlibrary']:
course_key = CourseKey.from_string(role['obj_id'])
if '*' in role['obj_perm'] or global_perm.issubset(
set(role['obj_perm'])):
if not CourseInstructorRole(course_key).has_user(user):
CourseInstructorRole(course_key).add_users(user)
car = CourseAccessRole.objects.get(
user=user,
role=CourseInstructorRole.ROLE,
course_id=course_key)
new_role_ids.append(car.id)
elif staff_perm.issubset(set(role['obj_perm'])):
if not CourseStaffRole(course_key).has_user(user):
CourseStaffRole(course_key).add_users(user)
car = CourseAccessRole.objects.get(user=user,
role=CourseStaffRole.ROLE,
course_id=course_key)
new_role_ids.append(car.id)
elif tester_perm.issubset(set(role['obj_perm'])):
if not CourseBetaTesterRole(course_key).has_user(user):
CourseBetaTesterRole(course_key).add_users(user)
car = CourseAccessRole.objects.get(
user=user,
role=CourseBetaTesterRole.ROLE,
course_id=course_key)
new_role_ids.append(car.id)
elif role['obj_type'] == 'edxlibrary' and 'Read' in role[
'obj_perm']:
if not LibraryUserRole(course_key).has_user(user):
LibraryUserRole(course_key).add_users(user)
car = CourseAccessRole.objects.get(
user=user,
role=CourseBetaTesterRole.ROLE,
course_id=course_key)
new_role_ids.append(car.id)
if role['obj_perm'] != '*' and global_perm != set(role['obj_perm']) and \
staff_perm != set(role['obj_perm']) and tester_perm != set(role['obj_perm']) and 'Read' not in role['obj_perm']:
_log = True
elif role['obj_type'] == 'edxcourserun':
course_key = CourseKey.from_string(role['obj_id'])
if '*' in role['obj_perm'] or global_perm.issubset(
set(role['obj_perm'])):
if not CourseInstructorRole(course_key).has_user(user):
CourseInstructorRole(course_key).add_users(user)
car = CourseAccessRole.objects.get(
user=user,
role=CourseInstructorRole.ROLE,
course_id=course_key)
new_role_ids.append(car.id)
elif staff_perm.issubset(set(role['obj_perm'])):
if not CourseStaffRole(course_key).has_user(user):
CourseStaffRole(course_key).add_users(user)
car = CourseAccessRole.objects.get(user=user,
role=CourseStaffRole.ROLE,
course_id=course_key)
new_role_ids.append(car.id)
elif tester_perm.issubset(set(role['obj_perm'])):
if not CourseBetaTesterRole(course_key).has_user(user):
CourseBetaTesterRole(course_key).add_users(user)
car = CourseAccessRole.objects.get(
user=user,
role=CourseBetaTesterRole.ROLE,
course_id=course_key)
new_role_ids.append(car.id)
if role['obj_perm'] != '*' and global_perm != set(role['obj_perm']) and \
staff_perm != set(role['obj_perm']) and tester_perm != set(role['obj_perm']):
_log = True
if _log:
logging.warning(
log_message.format(user.id, role['obj_type'], role['obj_id'],
str(role['obj_perm'])))
if (not is_global_staff) and GlobalStaff().has_user(user):
GlobalStaff().remove_users(user)
remove_roles = role_ids - set(new_role_ids)
if remove_roles:
entries = CourseAccessRole.objects.filter(id__in=list(remove_roles))
entries.delete()
