Example #1
0
def cm_enroll_user(request):
    response_format = request.REQUEST.get('format','html')
    if response_format == 'json' or 'application/json' in request.META.get('HTTP/ACCEPT', 'application/json'):
        if request.method == 'POST':
            if validate_token(request.body, request) is False:
                return HttpResponse('Unauthorized', status=401)
            if 'email' not in request.json or 'course_id' not in request.json:
                return HttpResponse(content=json.dumps({'errors':'Missing params'}), \
                        content_type = 'application/json', status=400)
            try:
                log.info("Enrolling user: "******" course: " + request.json.get('course_id'))
                CourseEnrollment.enroll_by_email(request.json.get('email'), \
                                                 get_key_from_course_id(request.json.get('course_id')), ignore_errors=False)

                # See if enrolling with staff credentials
                if request.json.get('role') == 'staff':
                    global_admin = AdminFactory()
                    course = get_key_from_course_id(request.json.get('course_id'))
                    auth.add_users(global_admin, CourseInstructorRole(course), User.objects.get(email=request.json.get('email')))
                    
                content = {'success':'ok'}
                status_code = 200
            except User.DoesNotExist:
                content = {'errors':'User does not exist'}
                status_code = 422
            return HttpResponse(content=json.dumps(content), status=status_code, \
                    content_type = 'application/json')
        else:
            return HttpResponse(content=json.dumps({}), status=404, content_type = 'application/json')
    else:
        return HttpResponse(content=json.dumps({}), status=404, content_type = 'application/json')
Example #2
0
 def test_get_user_role_staff(self):
     """
     Verifies if user is staff.
     """
     add_users(self.global_admin, CourseStaffRole(self.course_key),
               self.staff)
     self.assertEqual('staff', get_user_role(self.staff, self.course_key))
Example #3
0
    def test_add_user_to_group_requires_staff_access(self):
        with self.assertRaises(PermissionDenied):
            self.admin.is_staff = False
            add_users(self.admin, CourseCreatorRole(), self.user)

        with self.assertRaises(PermissionDenied):
            add_users(self.user, CourseCreatorRole(), self.user)
Example #4
0
    def test_get_all_users(self):
        """
        Test getting all authors for a course where their permissions run the gamut of allowed group
        types.
        """
        # first check the course creator.has explicit access (don't use has_access as is_staff
        # will trump the actual test)
        self.assertTrue(CourseInstructorRole(self.course_key).has_user(self.user), "Didn't add creator as instructor.")
        users = copy.copy(self.users)
        # doesn't use role.users_with_role b/c it's verifying the roles.py behavior
        user_by_role = {}
        # add the misc users to the course in different groups
        for role in [CourseInstructorRole, CourseStaffRole, OrgStaffRole, OrgInstructorRole]:
            user_by_role[role] = []
            # Org-based roles are created via org name, rather than course_key
            if (role is OrgStaffRole) or (role is OrgInstructorRole):
                group = role(self.course_key.org)
            else:
                group = role(self.course_key)
            # NOTE: this loop breaks the roles.py abstraction by purposely assigning
            # users to one of each possible groupname in order to test that has_course_author_access
            # and remove_user work
            user = users.pop()
            group.add_users(user)
            user_by_role[role].append(user)
            self.assertTrue(
                auth.has_course_author_access(user, self.course_key), "{} does not have access".format(user)
            )

        course_team_url = reverse_course_url("course_team_handler", self.course_key)
        response = self.client.get_html(course_team_url)
        for role in [CourseInstructorRole, CourseStaffRole]:  # Global and org-based roles don't appear on this page
            for user in user_by_role[role]:
                self.assertContains(response, user.email)

        # test copying course permissions
        copy_course_key = self.store.make_course_key("copyu", "copydept.mycourse", "myrun")
        for role in [CourseInstructorRole, CourseStaffRole, OrgStaffRole, OrgInstructorRole]:
            if (role is OrgStaffRole) or (role is OrgInstructorRole):
                auth.add_users(self.user, role(copy_course_key.org), *role(self.course_key.org).users_with_role())
            else:
                auth.add_users(self.user, role(copy_course_key), *role(self.course_key).users_with_role())
        # verify access in copy course and verify that removal from source course w/ the various
        # groupnames works
        for role in [CourseInstructorRole, CourseStaffRole, OrgStaffRole, OrgInstructorRole]:
            for user in user_by_role[role]:
                # forcefully decache the groups: premise is that any real request will not have
                # multiple objects repr the same user but this test somehow uses different instance
                # in above add_users call
                if hasattr(user, "_roles"):
                    del user._roles

                self.assertTrue(auth.has_course_author_access(user, copy_course_key), "{} no copy access".format(user))
                if (role is OrgStaffRole) or (role is OrgInstructorRole):
                    auth.remove_users(self.user, role(self.course_key.org), user)
                else:
                    auth.remove_users(self.user, role(self.course_key), user)
                self.assertFalse(
                    auth.has_course_author_access(user, self.course_key), "{} remove didn't work".format(user)
                )
Example #5
0
 def test_add_user_to_group_requires_authenticated(self):
     with self.assertRaises(PermissionDenied):
         with mock.patch(
             'django.contrib.auth.models.User.is_authenticated',
             new_callable=mock.PropertyMock
         ) as mock_is_auth:
             mock_is_auth.return_value = False
             add_users(self.admin, CourseCreatorRole(), self.user)
Example #6
0
def add_course_author(user, course):
    """
    Add the user to the instructor group of the course
    so they will have the permissions to see it in studio
    """
    global_admin = AdminFactory()
    for role in (CourseStaffRole, CourseInstructorRole):
        auth.add_users(global_admin, role(course.id), user)
Example #7
0
    def test_detail_delete_staff(self):
        auth.add_users(self.user, CourseStaffRole(self.course.id), self.ext_user)

        resp = self.client.delete(self.detail_url, HTTP_ACCEPT="application/json")
        self.assertEqual(resp.status_code, 204)
        # reload user from DB
        ext_user = User.objects.get(email=self.ext_user.email)
        self.assertFalse(auth.user_has_role(ext_user, CourseStaffRole(self.course.id)))
Example #8
0
    def test_detail_delete_instructor(self):
        auth.add_users(self.user, CourseInstructorRole(self.course_locator), self.ext_user, self.user)

        resp = self.client.delete(self.detail_url, HTTP_ACCEPT="application/json")
        self.assertEqual(resp.status_code, 204)
        # reload user from DB
        ext_user = User.objects.get(email=self.ext_user.email)
        self.assertFalse(auth.has_access(ext_user, CourseInstructorRole(self.course_locator)))
Example #9
0
def add_instructor(course_key, requesting_user, new_instructor):
    """
    Adds given user as instructor and staff to the given course,
    after verifying that the requesting_user has permission to do so.
    """
    # can't use auth.add_users here b/c it requires user to already have Instructor perms in this course
    CourseInstructorRole(course_key).add_users(new_instructor)
    auth.add_users(requesting_user, CourseStaffRole(course_key), new_instructor)
Example #10
0
 def test_add_user_to_group_requires_authenticated(self):
     with self.assertRaises(PermissionDenied):
         with mock.patch(
             'django.contrib.auth.models.User.is_authenticated',
             new_callable=mock.PropertyMock
         ) as mock_is_auth:
             mock_is_auth.return_value = False
             add_users(self.admin, CourseCreatorRole(), self.user)
Example #11
0
def add_instructor(course_key, requesting_user, new_instructor):
    """
    Adds given user as instructor and staff to the given course,
    after verifying that the requesting_user has permission to do so.
    """
    # can't use auth.add_users here b/c it requires user to already have Instructor perms in this course
    CourseInstructorRole(course_key).add_users(new_instructor)
    auth.add_users(requesting_user, CourseStaffRole(course_key), new_instructor)
Example #12
0
def add_course_author(user, course):
    """
    Add the user to the instructor group of the course
    so they will have the permissions to see it in studio
    """
    global_admin = AdminFactory()
    for role in (CourseStaffRole, CourseInstructorRole):
        auth.add_users(global_admin, role(course.id), user)
Example #13
0
 def test_add_user_not_active(self):
     """
     Tests that adding to creator group fails if user is not active
     """
     with mock.patch.dict('django.conf.settings.FEATURES',
                          {'DISABLE_COURSE_CREATION': False, "ENABLE_CREATOR_GROUP": True}):
         self.user.is_active = False
         add_users(self.admin, CourseCreatorRole(), self.user)
         self.assertFalse(has_access(self.user, CourseCreatorRole()))
Example #14
0
 def test_add_user_not_active(self):
     """
     Tests that adding to creator group fails if user is not active
     """
     with mock.patch.dict('django.conf.settings.FEATURES',
                          {'DISABLE_COURSE_CREATION': False, "ENABLE_CREATOR_GROUP": True}):
         self.user.is_active = False
         add_users(self.admin, CourseCreatorRole(), self.user)
         self.assertFalse(has_access(self.user, CourseCreatorRole()))
Example #15
0
 def test_remove_user_from_course_group_permission_denied(self):
     """
     Verifies PermissionDenied if caller of remove_user_from_course_group is not instructor role.
     """
     add_users(self.global_admin, CourseInstructorRole(self.location), self.creator)
     another_staff = User.objects.create_user('another', '*****@*****.**', 'foo')
     add_users(self.global_admin, CourseStaffRole(self.location), self.creator, self.staff, another_staff)
     with self.assertRaises(PermissionDenied):
         remove_users(self.staff, CourseStaffRole(self.location), another_staff)
 def setUp(self):
     """
     Set up test variables
     """
     super(CCXCourseGroupTest, self).setUp()
     self.global_admin = AdminFactory()
     self.staff = User.objects.create_user('teststaff', '*****@*****.**', 'foo')
     self.ccx_course_key = CCXLocator.from_string('ccx-v1:edX+DemoX+Demo_Course+ccx@1')
     add_users(self.global_admin, CourseStaffRole(self.ccx_course_key), self.staff)
 def test_get_user_role_staff_locator(self):
     """
     Verifies if user is staff, using a CourseLocator.
     """
     add_users(self.global_admin, CourseStaffRole(self.locator), self.staff)
     self.assertEqual(
         'staff',
         get_user_role(self.staff, self.locator)
     )
Example #18
0
 def test_get_user_role_staff_locator(self):
     """
     Verifies if user is staff, using a CourseLocator.
     """
     add_users(self.global_admin, CourseStaffRole(self.locator), self.staff)
     self.assertEqual(
         'staff',
         get_user_role(self.staff, self.locator)
     )
Example #19
0
 def test_get_user_role_staff(self):
     """
     Verifies if user is staff.
     """
     add_users(self.global_admin, CourseStaffRole(self.course_key), self.staff)
     self.assertEqual(
         'staff',
         get_user_role(self.staff, self.course_key)
     )
Example #20
0
 def test_remove_user_from_course_group_permission_denied(self):
     """
     Verifies PermissionDenied if caller of remove_user_from_course_group is not instructor role.
     """
     add_users(self.global_admin, CourseInstructorRole(self.course_key), self.creator)
     another_staff = User.objects.create_user('another', '*****@*****.**', 'foo')
     add_users(self.global_admin, CourseStaffRole(self.course_key), self.creator, self.staff, another_staff)
     with self.assertRaises(PermissionDenied):
         remove_users(self.staff, CourseStaffRole(self.course_key), another_staff)
Example #21
0
    def test_permission_denied_other(self):
        auth.add_users(self.user, CourseStaffRole(self.course_locator), self.user)
        self.user.is_staff = False
        self.user.save()

        resp = self.client.post(self.detail_url, data={"role": "instructor"}, HTTP_ACCEPT="application/json")
        self.assertEqual(resp.status_code, 400)
        result = json.loads(resp.content)
        self.assertIn("error", result)
Example #22
0
 def test_get_user_role_instructor_locator(self):
     """
     Verifies if user is instructor, using a CourseLocator.
     """
     add_users(self.global_admin, CourseInstructorRole(self.locator), self.instructor)
     self.assertEqual(
         'instructor',
         get_user_role(self.instructor, self.locator)
     )
Example #23
0
 def setUp(self):
     """
     Set up test variables
     """
     super(CCXCourseGroupTest, self).setUp()
     self.global_admin = AdminFactory()
     self.staff = User.objects.create_user('teststaff', '*****@*****.**', 'foo')
     self.ccx_course_key = CCXLocator.from_string('ccx-v1:edX+DemoX+Demo_Course+ccx@1')
     add_users(self.global_admin, CourseStaffRole(self.ccx_course_key), self.staff)
Example #24
0
    def test_studio_user_permissions(self):
        """
        Test that user could attach to the problem only libraries that he has access (or which were created by him).
        This test was created on the basis of bug described in the pull requests on github:
        https://github.com/edx/edx-platform/pull/11331
        https://github.com/edx/edx-platform/pull/11611
        """
        self._create_library(org='admin_org_1', library='lib_adm_1', display_name='admin_lib_1')
        self._create_library(org='admin_org_2', library='lib_adm_2', display_name='admin_lib_2')

        self._login_as_non_staff_user()

        self._create_library(org='staff_org_1', library='lib_staff_1', display_name='staff_lib_1')
        self._create_library(org='staff_org_2', library='lib_staff_2', display_name='staff_lib_2')

        with modulestore().default_store(ModuleStoreEnum.Type.split):
            course = CourseFactory.create()

        instructor_role = CourseInstructorRole(course.id)
        auth.add_users(self.user, instructor_role, self.non_staff_user)

        lib_block = ItemFactory.create(
            category='library_content',
            parent_location=course.location,
            user_id=self.non_staff_user.id,
            publish_item=False
        )

        def _get_settings_html():
            """
            Helper function to get block settings HTML
            Used to check the available libraries.
            """
            edit_view_url = reverse_usage_url("xblock_view_handler", lib_block.location, {"view_name": STUDIO_VIEW})

            resp = self.client.get_json(edit_view_url)
            self.assertEquals(resp.status_code, 200)

            return parse_json(resp)['html']

        self._login_as_staff_user()
        staff_settings_html = _get_settings_html()
        self.assertIn('staff_lib_1', staff_settings_html)
        self.assertIn('staff_lib_2', staff_settings_html)
        self.assertIn('admin_lib_1', staff_settings_html)
        self.assertIn('admin_lib_2', staff_settings_html)

        self._login_as_non_staff_user()
        response = self.client.get_json(LIBRARY_REST_URL)
        staff_libs = parse_json(response)
        self.assertEquals(2, len(staff_libs))

        non_staff_settings_html = _get_settings_html()
        self.assertIn('staff_lib_1', non_staff_settings_html)
        self.assertIn('staff_lib_2', non_staff_settings_html)
        self.assertNotIn('admin_lib_1', non_staff_settings_html)
        self.assertNotIn('admin_lib_2', non_staff_settings_html)
    def test_studio_user_permissions(self):
        """
        Test that user could attach to the problem only libraries that he has access (or which were created by him).
        This test was created on the basis of bug described in the pull requests on github:
        https://github.com/edx/edx-platform/pull/11331
        https://github.com/edx/edx-platform/pull/11611
        """
        self._create_library(org='admin_org_1', library='lib_adm_1', display_name='admin_lib_1')
        self._create_library(org='admin_org_2', library='lib_adm_2', display_name='admin_lib_2')

        self._login_as_non_staff_user()

        self._create_library(org='staff_org_1', library='lib_staff_1', display_name='staff_lib_1')
        self._create_library(org='staff_org_2', library='lib_staff_2', display_name='staff_lib_2')

        with modulestore().default_store(ModuleStoreEnum.Type.split):
            course = CourseFactory.create()

        instructor_role = CourseInstructorRole(course.id)
        auth.add_users(self.user, instructor_role, self.non_staff_user)

        lib_block = ItemFactory.create(
            category='library_content',
            parent_location=course.location,
            user_id=self.non_staff_user.id,
            publish_item=False
        )

        def _get_settings_html():
            """
            Helper function to get block settings HTML
            Used to check the available libraries.
            """
            edit_view_url = reverse_usage_url("xblock_view_handler", lib_block.location, {"view_name": STUDIO_VIEW})

            resp = self.client.get_json(edit_view_url)
            self.assertEquals(resp.status_code, 200)

            return parse_json(resp)['html']

        self._login_as_staff_user()
        staff_settings_html = _get_settings_html()
        self.assertIn('staff_lib_1', staff_settings_html)
        self.assertIn('staff_lib_2', staff_settings_html)
        self.assertIn('admin_lib_1', staff_settings_html)
        self.assertIn('admin_lib_2', staff_settings_html)

        self._login_as_non_staff_user()
        response = self.client.get_json(LIBRARY_REST_URL)
        staff_libs = parse_json(response)
        self.assertEquals(2, len(staff_libs))

        non_staff_settings_html = _get_settings_html()
        self.assertIn('staff_lib_1', non_staff_settings_html)
        self.assertIn('staff_lib_2', non_staff_settings_html)
        self.assertNotIn('admin_lib_1', non_staff_settings_html)
        self.assertNotIn('admin_lib_2', non_staff_settings_html)
Example #26
0
 def test_get_user_role_instructor(self):
     """
     Verifies if user is instructor.
     """
     add_users(self.global_admin, CourseInstructorRole(self.location), self.instructor)
     self.assertEqual(
         'instructor',
         get_user_role(self.instructor, self.location, self.location.course_id)
     )
Example #27
0
    def test_filter_by_roles_course_staff(self):
        """
        Verify that course_ids are filtered by the provided roles.
        """
        # Make this user a course staff user for the course.
        course_staff_user = self.create_user(username='******',
                                             is_staff=False)
        add_users(self.global_admin, CourseStaffRole(self.course.id),
                  course_staff_user)

        # Create a second course, along with an instructor user for it.
        alternate_course = self.create_course(org='test')
        course_instructor_user = self.create_user(username='******',
                                                  is_staff=False)
        add_users(self.global_admin, CourseInstructorRole(alternate_course.id),
                  course_instructor_user)

        # Requesting the courses for which the course staff user is staff should return *only* the single course.
        self.setup_user(self.staff_user)
        filtered_response = self.verify_response(
            params={
                'username': course_staff_user.username,
                'role': 'staff'
            })
        self.assertEqual(len(filtered_response.data['results']), 1)
        self.assertTrue(filtered_response.data['results'][0].startswith(
            self.course.org))

        # The course staff user does *not* have the course instructor role on any courses.
        filtered_response = self.verify_response(
            params={
                'username': course_staff_user.username,
                'role': 'instructor'
            })
        self.assertEqual(len(filtered_response.data['results']), 0)

        # The course instructor user only has the course instructor role on one course.
        filtered_response = self.verify_response(
            params={
                'username': course_instructor_user.username,
                'role': 'instructor'
            })
        self.assertEqual(len(filtered_response.data['results']), 1)
        self.assertTrue(filtered_response.data['results'][0].startswith(
            alternate_course.org))

        # The course instructor user has the inferred course staff role on one course.
        self.setup_user(course_instructor_user)
        filtered_response = self.verify_response(
            params={
                'username': course_instructor_user.username,
                'role': 'staff'
            })
        self.assertEqual(len(filtered_response.data['results']), 1)
        self.assertTrue(filtered_response.data['results'][0].startswith(
            alternate_course.org))
Example #28
0
    def test_delete_last_instructor(self):
        auth.add_users(self.user, CourseInstructorRole(self.course.id), self.ext_user)

        resp = self.client.delete(self.detail_url, HTTP_ACCEPT="application/json")
        self.assertEqual(resp.status_code, 400)
        result = json.loads(resp.content)
        self.assertIn("error", result)
        # reload user from DB
        ext_user = User.objects.get(email=self.ext_user.email)
        self.assertTrue(auth.user_has_role(ext_user, CourseInstructorRole(self.course.id)))
Example #29
0
def update_course_creator_group(caller, user, add):
    """
    Method for adding and removing users from the creator group.

    Caller must have staff permissions.
    """
    if add:
        auth.add_users(caller, CourseCreatorRole(), user)
    else:
        auth.remove_users(caller, CourseCreatorRole(), user)
Example #30
0
 def test_add_user_not_authenticated(self):
     """
     Tests that adding to creator group fails if user is not authenticated
     """
     with mock.patch.dict('django.conf.settings.FEATURES',
                          {'DISABLE_COURSE_CREATION': False, "ENABLE_CREATOR_GROUP": True}):
         anonymous_user = AnonymousUser()
         role = CourseCreatorRole()
         add_users(self.admin, role, anonymous_user)
         self.assertFalse(has_access(anonymous_user, role))
Example #31
0
    def test_post_last_instructor(self):
        auth.add_users(self.user, CourseInstructorRole(self.course_locator), self.ext_user)

        resp = self.client.post(self.detail_url, data={"role": "staff"}, HTTP_ACCEPT="application/json")
        self.assertEqual(resp.status_code, 400)
        result = json.loads(resp.content)
        self.assertIn("error", result)
        # reload user from DB
        ext_user = User.objects.get(email=self.ext_user.email)
        self.assertTrue(auth.has_access(ext_user, CourseInstructorRole(self.course_locator)))
    def test_import_in_existing_course(self):
        """
        Check that course is imported successfully in existing course and users
        have their access roles
        """
        # Create a non_staff user and add it to course staff only
        __, nonstaff_user = self.create_non_staff_authed_user_client()
        auth.add_users(
            self.user,
            CourseStaffRole(self.course.id),
            nonstaff_user
        )

        course = self.store.get_course(self.course.id)
        self.assertIsNotNone(course)
        display_name_before_import = course.display_name

        # Check that global staff user can import course
        with open(self.good_tar) as gtar:
            args = {"name": self.good_tar, "course-data": [gtar]}
            resp = self.client.post(self.url, args)
        self.assertEquals(resp.status_code, 200)

        course = self.store.get_course(self.course.id)
        self.assertIsNotNone(course)
        display_name_after_import = course.display_name

        # Check that course display name have changed after import
        self.assertNotEqual(
            display_name_before_import,
            display_name_after_import
        )

        # Now check that non_staff user has his same role
        self.assertFalse(
            CourseInstructorRole(self.course.id).has_user(nonstaff_user)
        )
        self.assertTrue(
            CourseStaffRole(self.course.id).has_user(nonstaff_user)
        )

        # Now course staff user can also successfully import course
        self.client.login(username=nonstaff_user.username, password='******')
        with open(self.good_tar) as gtar:
            args = {"name": self.good_tar, "course-data": [gtar]}
            resp = self.client.post(self.url, args)
        self.assertEquals(resp.status_code, 200)

        # Now check that non_staff user has his same role
        self.assertFalse(
            CourseInstructorRole(self.course.id).has_user(nonstaff_user)
        )
        self.assertTrue(
            CourseStaffRole(self.course.id).has_user(nonstaff_user)
        )
Example #33
0
    def test_get_all_users(self):
        """
        Test getting all authors for a course where their permissions run the gamut of allowed group
        types.
        """
        # first check the course creator.has explicit access (don't use has_access as is_staff
        # will trump the actual test)
        self.assertTrue(
            CourseInstructorRole(self.course_key).has_user(self.user),
            "Didn't add creator as instructor.")
        users = copy.copy(self.users)
        # doesn't use role.users_with_role b/c it's verifying the roles.py behavior
        user_by_role = {}
        # add the misc users to the course in different groups
        for role in [CourseInstructorRole, CourseStaffRole]:
            user_by_role[role] = []
            # pylint: disable=protected-access
            group = role(self.course_key)
            # NOTE: this loop breaks the roles.py abstraction by purposely assigning
            # users to one of each possible groupname in order to test that has_course_access
            # and remove_user work
            user = users.pop()
            group.add_users(user)
            user_by_role[role].append(user)
            self.assertTrue(has_course_access(user, self.course_key),
                            "{} does not have access".format(user))

        course_team_url = reverse_course_url('course_team_handler',
                                             self.course_key)
        response = self.client.get_html(course_team_url)
        for role in [CourseInstructorRole, CourseStaffRole]:
            for user in user_by_role[role]:
                self.assertContains(response, user.email)

        # test copying course permissions
        copy_course_key = SlashSeparatedCourseKey('copyu', 'copydept.mycourse',
                                                  'myrun')
        for role in [CourseInstructorRole, CourseStaffRole]:
            auth.add_users(self.user, role(copy_course_key),
                           *role(self.course_key).users_with_role())
        # verify access in copy course and verify that removal from source course w/ the various
        # groupnames works
        for role in [CourseInstructorRole, CourseStaffRole]:
            for user in user_by_role[role]:
                # forcefully decache the groups: premise is that any real request will not have
                # multiple objects repr the same user but this test somehow uses different instance
                # in above add_users call
                if hasattr(user, '_roles'):
                    del user._roles

                self.assertTrue(has_course_access(user, copy_course_key),
                                "{} no copy access".format(user))
                auth.remove_users(self.user, role(self.course_key), user)
                self.assertFalse(has_course_access(user, self.course_key),
                                 "{} remove didn't work".format(user))
Example #34
0
    def test_detail_delete_instructor(self):
        auth.add_users(self.user, CourseInstructorRole(self.course.id), self.ext_user, self.user)

        resp = self.client.delete(
            self.detail_url,
            HTTP_ACCEPT="application/json",
        )
        self.assertEqual(resp.status_code, 204)
        # reload user from DB
        ext_user = User.objects.get(email=self.ext_user.email)
        self.assertFalse(auth.has_access(ext_user, CourseInstructorRole(self.course.id)))
Example #35
0
 def test_get_user_role_instructor(self):
     """
     Verifies if user is instructor.
     """
     add_users(self.global_admin, CourseInstructorRole(self.course_key),
               self.instructor)
     self.assertEqual('instructor',
                      get_user_role(self.instructor, self.course_key))
     add_users(self.global_admin, CourseStaffRole(self.course_key),
               self.staff)
     self.assertEqual('instructor',
                      get_user_role(self.instructor, self.course_key))
Example #36
0
 def test_add_user_not_authenticated(self):
     """
     Tests that adding to creator group fails if user is not authenticated
     """
     with mock.patch.dict('django.conf.settings.FEATURES', {
             'DISABLE_COURSE_CREATION': False,
             "ENABLE_CREATOR_GROUP": True
     }):
         anonymous_user = AnonymousUser()
         role = CourseCreatorRole()
         add_users(self.admin, role, anonymous_user)
         self.assertFalse(user_has_role(anonymous_user, role))
Example #37
0
    def test_staff_can_delete_self(self):
        auth.add_users(self.user, CourseStaffRole(self.course.id), self.user)
        self.user.is_staff = False
        self.user.save()

        self_url = self.course_team_url(email=self.user.email)

        resp = self.client.delete(self_url)
        self.assertEqual(resp.status_code, 204)
        # reload user from DB
        user = User.objects.get(email=self.user.email)
        self.assertFalse(auth.has_access(user, CourseStaffRole(self.course.id)))
Example #38
0
    def test_staff_cannot_delete_other(self):
        auth.add_users(self.user, CourseStaffRole(self.course.id), self.user, self.ext_user)
        self.user.is_staff = False
        self.user.save()

        resp = self.client.delete(self.detail_url)
        self.assertEqual(resp.status_code, 403)
        result = json.loads(resp.content)
        self.assertIn("error", result)
        # reload user from DB
        ext_user = User.objects.get(email=self.ext_user.email)
        self.assertTrue(auth.has_access(ext_user, CourseStaffRole(self.course.id)))
Example #39
0
    def test_delete_last_instructor(self):
        auth.add_users(self.user, CourseInstructorRole(self.course.id), self.ext_user)

        resp = self.client.delete(
            self.detail_url,
            HTTP_ACCEPT="application/json",
        )
        self.assertEqual(resp.status_code, 400)
        result = json.loads(resp.content)
        self.assertIn("error", result)
        # reload user from DB
        ext_user = User.objects.get(email=self.ext_user.email)
        self.assertTrue(auth.has_access(ext_user, CourseInstructorRole(self.course.id)))
Example #40
0
    def test_creator_group_enabled_nonempty(self):
        """ Tests creator group feature on, user added. """
        with mock.patch.dict('django.conf.settings.FEATURES', {"ENABLE_CREATOR_GROUP": True}):
            add_users(self.admin, CourseCreatorRole(), self.user)
            self.assertTrue(user_has_role(self.user, CourseCreatorRole()))

            # check that a user who has not been added to the group still returns false
            user_not_added = User.objects.create_user('testuser2', '*****@*****.**', 'foo2')
            self.assertFalse(user_has_role(user_not_added, CourseCreatorRole()))

            # remove first user from the group and verify that CourseCreatorRole().has_user now returns false
            remove_users(self.admin, CourseCreatorRole(), self.user)
            self.assertFalse(user_has_role(self.user, CourseCreatorRole()))
Example #41
0
    def test_creator_group_enabled_nonempty(self):
        """ Tests creator group feature on, user added. """
        with mock.patch.dict('django.conf.settings.FEATURES', {"ENABLE_CREATOR_GROUP": True}):
            add_users(self.admin, CourseCreatorRole(), self.user)
            self.assertTrue(has_access(self.user, CourseCreatorRole()))

            # check that a user who has not been added to the group still returns false
            user_not_added = User.objects.create_user('testuser2', '*****@*****.**', 'foo2')
            self.assertFalse(has_access(user_not_added, CourseCreatorRole()))

            # remove first user from the group and verify that CourseCreatorRole().has_user now returns false
            remove_users(self.admin, CourseCreatorRole(), self.user)
            self.assertFalse(has_access(self.user, CourseCreatorRole()))
Example #42
0
    def test_permission_denied_other(self):
        auth.add_users(self.user, CourseStaffRole(self.course.id), self.user)
        self.user.is_staff = False
        self.user.save()

        resp = self.client.post(
            self.detail_url,
            data={"role": "instructor"},
            HTTP_ACCEPT="application/json",
        )
        self.assertEqual(resp.status_code, 403)
        result = json.loads(resp.content)
        self.assertIn("error", result)
Example #43
0
    def test_add_user_to_course_group(self):
        """
        Tests adding user to course group (happy path).
        """
        # Create groups for a new course (and assign instructor role to the creator).
        self.assertFalse(
            user_has_role(self.creator, CourseInstructorRole(self.course_key)))
        add_users(self.global_admin, CourseInstructorRole(self.course_key),
                  self.creator)
        add_users(self.global_admin, CourseStaffRole(self.course_key),
                  self.creator)
        self.assertTrue(
            user_has_role(self.creator, CourseInstructorRole(self.course_key)))

        # Add another user to the staff role.
        self.assertFalse(
            user_has_role(self.staff, CourseStaffRole(self.course_key)))
        add_users(self.creator, CourseStaffRole(self.course_key), self.staff)
        self.assertTrue(
            user_has_role(self.staff, CourseStaffRole(self.course_key)))

        # Add another user to the TA role
        self.assertFalse(
            user_has_role(self.assistant,
                          CourseAssistantRole(self.course_key)))
        add_users(self.creator, CourseAssistantRole(self.course_key),
                  self.assistant)
        self.assertTrue(
            user_has_role(self.assistant,
                          CourseAssistantRole(self.course_key)))
Example #44
0
    def test_remove_user_from_course_group(self):
        """
        Tests removing user from course group (happy path).
        """
        add_users(self.global_admin, CourseInstructorRole(self.course_key),
                  self.creator)
        add_users(self.global_admin, CourseStaffRole(self.course_key),
                  self.creator)

        add_users(self.creator, CourseStaffRole(self.course_key), self.staff)
        self.assertTrue(
            user_has_role(self.staff, CourseStaffRole(self.course_key)))

        remove_users(self.creator, CourseStaffRole(self.course_key),
                     self.staff)
        self.assertFalse(
            user_has_role(self.staff, CourseStaffRole(self.course_key)))

        add_users(self.creator, CourseAssistantRole(self.course_key),
                  self.assistant)
        self.assertTrue(
            user_has_role(self.assistant,
                          CourseAssistantRole(self.course_key)))

        remove_users(self.creator, CourseAssistantRole(self.course_key),
                     self.assistant)
        self.assertFalse(
            user_has_role(self.assistant,
                          CourseAssistantRole(self.course_key)))

        remove_users(self.creator, CourseInstructorRole(self.course_key),
                     self.creator)
        self.assertFalse(
            user_has_role(self.creator, CourseInstructorRole(self.course_key)))
Example #45
0
    def test_post_last_instructor(self):
        auth.add_users(self.user, CourseInstructorRole(self.course.id), self.ext_user)

        resp = self.client.post(
            self.detail_url,
            data={"role": "staff"},
            HTTP_ACCEPT="application/json",
        )
        self.assertEqual(resp.status_code, 400)
        result = json.loads(resp.content.decode('utf-8'))
        self.assertIn("error", result)
        # reload user from DB
        ext_user = User.objects.get(email=self.ext_user.email)
        self.assertTrue(auth.user_has_role(ext_user, CourseInstructorRole(self.course.id)))
Example #46
0
 def test_get_user_role_instructor(self):
     """
     Verifies if user is instructor.
     """
     add_users(self.global_admin, CourseInstructorRole(self.course_key), self.instructor)
     self.assertEqual(
         'instructor',
         get_user_role(self.instructor, self.course_key)
     )
     add_users(self.global_admin, CourseStaffRole(self.course_key), self.staff)
     self.assertEqual(
         'instructor',
         get_user_role(self.instructor, self.course_key)
     )
Example #47
0
    def test_permission_denied_self(self):
        auth.add_users(self.user, CourseStaffRole(self.course.id), self.user)
        self.user.is_staff = False
        self.user.save()

        self_url = self.course_team_url(email=self.user.email)

        resp = self.client.post(
            self_url,
            data={"role": "instructor"},
            HTTP_ACCEPT="application/json",
        )
        self.assertEqual(resp.status_code, 403)
        result = json.loads(resp.content)
        self.assertIn("error", result)
Example #48
0
    def test_permission_denied_self(self):
        auth.add_users(self.user, CourseStaffRole(self.course_locator),
                       self.user)
        self.user.is_staff = False
        self.user.save()

        self_url = self.location.url_reverse('course_team', self.user.email)

        resp = self.client.post(
            self_url,
            data={"role": "instructor"},
            HTTP_ACCEPT="application/json",
        )
        self.assertEqual(resp.status_code, 400)
        result = json.loads(resp.content)
        self.assertIn("error", result)
Example #49
0
def create_other_user(_step, name, has_extra_perms, role_name):
    email = name + '@edx.org'
    user = create_studio_user(uname=name, password="******", email=email)
    if has_extra_perms:
        if role_name == "is_staff":
            GlobalStaff().add_users(user)
        else:
            if role_name == "admin":
                # admins get staff privileges, as well
                roles = (CourseStaffRole, CourseInstructorRole)
            else:
                roles = (CourseStaffRole,)
            course_key = world.scenario_dict["COURSE"].id
            global_admin = AdminFactory()
            for role in roles:
                auth.add_users(global_admin, role(course_key), user)
Example #50
0
def create_other_user(_step, name, has_extra_perms, role_name):
    email = name + '@edx.org'
    user = create_studio_user(uname=name, password="******", email=email)
    if has_extra_perms:
        if role_name == "is_staff":
            GlobalStaff().add_users(user)
        else:
            if role_name == "admin":
                # admins get staff privileges, as well
                roles = (CourseStaffRole, CourseInstructorRole)
            else:
                roles = (CourseStaffRole,)
            course_key = world.scenario_dict["COURSE"].id
            global_admin = AdminFactory()
            for role in roles:
                auth.add_users(global_admin, role(course_key), user)
Example #51
0
    def test_course_creation_disabled(self):
        """ Tests that the COURSE_CREATION_DISABLED flag overrides course creator group settings. """
        with mock.patch.dict('django.conf.settings.FEATURES',
                             {'DISABLE_COURSE_CREATION': True, "ENABLE_CREATOR_GROUP": True}):
            # Add user to creator group.
            add_users(self.admin, CourseCreatorRole(), self.user)

            # DISABLE_COURSE_CREATION overrides (user is not marked as staff).
            self.assertFalse(user_has_role(self.user, CourseCreatorRole()))

            # Mark as staff. Now CourseCreatorRole().has_user returns true.
            self.user.is_staff = True
            self.assertTrue(user_has_role(self.user, CourseCreatorRole()))

            # Remove user from creator group. CourseCreatorRole().has_user still returns true because is_staff=True
            remove_users(self.admin, CourseCreatorRole(), self.user)
            self.assertTrue(user_has_role(self.user, CourseCreatorRole()))
Example #52
0
    def test_course_creation_disabled(self):
        """ Tests that the COURSE_CREATION_DISABLED flag overrides course creator group settings. """
        with mock.patch.dict('django.conf.settings.FEATURES',
                             {'DISABLE_COURSE_CREATION': True, "ENABLE_CREATOR_GROUP": True}):
            # Add user to creator group.
            add_users(self.admin, CourseCreatorRole(), self.user)

            # DISABLE_COURSE_CREATION overrides (user is not marked as staff).
            self.assertFalse(has_access(self.user, CourseCreatorRole()))

            # Mark as staff. Now CourseCreatorRole().has_user returns true.
            self.user.is_staff = True
            self.assertTrue(has_access(self.user, CourseCreatorRole()))

            # Remove user from creator group. CourseCreatorRole().has_user still returns true because is_staff=True
            remove_users(self.admin, CourseCreatorRole(), self.user)
            self.assertTrue(has_access(self.user, CourseCreatorRole()))
Example #53
0
 def test_add_user_to_course_group_permission_denied(self):
     """
     Verifies PermissionDenied if caller of add_user_to_course_group is not instructor role.
     """
     add_users(self.global_admin, CourseInstructorRole(self.course_key), self.creator)
     add_users(self.global_admin, CourseStaffRole(self.course_key), self.creator)
     with self.assertRaises(PermissionDenied):
         add_users(self.staff, CourseStaffRole(self.course_key), self.staff)
     with self.assertRaises(PermissionDenied):
         add_users(self.assistant, CourseAssistantRole(self.course_key), self.assistant)
Example #54
0
 def test_add_user_to_course_group_permission_denied(self):
     """
     Verifies PermissionDenied if caller of add_user_to_course_group is not instructor role.
     """
     add_users(self.global_admin, CourseInstructorRole(self.course_key), self.creator)
     add_users(self.global_admin, CourseStaffRole(self.course_key), self.creator)
     with self.assertRaises(PermissionDenied):
         add_users(self.staff, CourseStaffRole(self.course_key), self.staff)
     with self.assertRaises(PermissionDenied):
         add_users(self.assistant, CourseAssistantRole(self.course_key), self.assistant)
Example #55
0
    def test_detail_post_staff_other_inst(self):
        auth.add_users(self.user, CourseInstructorRole(self.course.id), self.user)

        resp = self.client.post(
            self.detail_url,
            data=json.dumps({"role": "staff"}),
            content_type="application/json",
            HTTP_ACCEPT="application/json",
        )
        self.assertEqual(resp.status_code, 204)
        # reload user from DB
        ext_user = User.objects.get(email=self.ext_user.email)
        self.assertTrue(auth.has_access(ext_user, CourseStaffRole(self.course.id)))
        self.assertFalse(auth.has_access(ext_user, CourseInstructorRole(self.course.id)))
        self.assert_enrolled()
        # check that other user is unchanged
        user = User.objects.get(email=self.user.email)
        self.assertTrue(auth.has_access(user, CourseInstructorRole(self.course.id)))
        self.assertFalse(CourseStaffRole(self.course.id).has_user(user))
    def test_import_in_existing_course(self):
        """
        Check that course is imported successfully in existing course and users have their access roles
        """
        # Create a non_staff user and add it to course staff only
        __, nonstaff_user = self.create_non_staff_authed_user_client(authenticate=False)
        auth.add_users(self.user, CourseStaffRole(self.course.id), nonstaff_user)

        course = self.store.get_course(self.course.id)
        self.assertIsNotNone(course)
        display_name_before_import = course.display_name

        # Check that global staff user can import course
        with open(self.good_tar) as gtar:
            args = {"name": self.good_tar, "course-data": [gtar]}
            resp = self.client.post(self.url, args)
        self.assertEquals(resp.status_code, 200)

        course = self.store.get_course(self.course.id)
        self.assertIsNotNone(course)
        display_name_after_import = course.display_name

        # Check that course display name have changed after import
        self.assertNotEqual(display_name_before_import, display_name_after_import)

        # Now check that non_staff user has his same role
        self.assertFalse(CourseInstructorRole(self.course.id).has_user(nonstaff_user))
        self.assertTrue(CourseStaffRole(self.course.id).has_user(nonstaff_user))

        # Now course staff user can also successfully import course
        self.client.login(username=nonstaff_user.username, password='******')
        with open(self.good_tar) as gtar:
            args = {"name": self.good_tar, "course-data": [gtar]}
            resp = self.client.post(self.url, args)
        self.assertEquals(resp.status_code, 200)

        # Now check that non_staff user has his same role
        self.assertFalse(CourseInstructorRole(self.course.id).has_user(nonstaff_user))
        self.assertTrue(CourseStaffRole(self.course.id).has_user(nonstaff_user))