def add_user(request, location): ''' This POST-back view will add a user - specified by email - to the list of editors for the specified course ''' email = request.POST["email"] if email == '': return create_json_response('Please specify an email address.') # check that logged in user has admin permissions to this course if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME): raise PermissionDenied() user = get_user_by_email(email) # user doesn't exist?!? Return error. if user is None: return create_json_response( 'Could not find user by email address \'{0}\'.'.format(email)) # user exists, but hasn't activated account?!? if not user.is_active: return create_json_response( 'User {0} has registered but has not yet activated his/her account.' .format(email)) # ok, we're cool to add to the course group add_user_to_course_group(request.user, user, location, STAFF_ROLE_NAME) return create_json_response()
def add_user(request, location): """ This POST-back view will add a user - specified by email - to the list of editors for the specified course """ email = request.POST.get("email") if not email: msg = {"Status": "Failed", "ErrMsg": _("Please specify an email address.")} return JsonResponse(msg, 400) # check that logged in user has admin permissions to this course if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME): raise PermissionDenied() user = get_user_by_email(email) # user doesn't exist?!? Return error. if user is None: msg = {"Status": "Failed", "ErrMsg": _("Could not find user by email address '{email}'.").format(email=email)} return JsonResponse(msg, 404) # user exists, but hasn't activated account?!? if not user.is_active: msg = { "Status": "Failed", "ErrMsg": _("User {email} has registered but has not yet activated his/her account.").format(email=email), } return JsonResponse(msg, 400) # ok, we're cool to add to the course group add_user_to_course_group(request.user, user, location, STAFF_ROLE_NAME) return JsonResponse({"Status": "OK"})
def test_add_user_to_course_group_permission_denied(self): """ Verifies PermissionDenied if caller of add_user_to_course_group is not instructor role. """ create_all_course_groups(self.creator, self.location) with self.assertRaises(PermissionDenied): add_user_to_course_group(self.staff, self.staff, self.location, STAFF_ROLE_NAME)
def create_course(self, index): """ Creates a course with one instructor and one staff member. """ creator = User.objects.create_user('testcreator' + str(index), '*****@*****.**', 'foo') staff = User.objects.create_user('teststaff' + str(index), '*****@*****.**', 'foo') location = 'i4x', 'mitX', str(index), 'course', 'test' create_all_course_groups(creator, location) add_user_to_course_group(creator, staff, location, STAFF_ROLE_NAME) return [creator, staff]
def test_get_staff(self): # Do this test with staff in 2 different classes. create_all_course_groups(self.creator, self.location) add_user_to_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME) location2 = 'i4x', 'mitX', '103', 'course', 'test2' staff2 = User.objects.create_user('teststaff2', '*****@*****.**', 'foo') create_all_course_groups(self.creator, location2) add_user_to_course_group(self.creator, staff2, location2, STAFF_ROLE_NAME) self.assertSetEqual({self.staff, staff2, self.creator}, get_users_with_staff_role())
def test_get_instructor(self): # Do this test with creators in 2 different classes. create_all_course_groups(self.creator, self.location) add_user_to_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME) location2 = Location('i4x', 'mitX', '103', 'course', 'test2') creator2 = User.objects.create_user('testcreator2', '*****@*****.**', 'foo') staff2 = User.objects.create_user('teststaff2', '*****@*****.**', 'foo') create_all_course_groups(creator2, location2) add_user_to_course_group(creator2, staff2, location2, STAFF_ROLE_NAME) self.assertSetEqual({self.creator, creator2}, get_users_with_instructor_role())
def add_user(request, location): ''' This POST-back view will add a user - specified by email - to the list of editors for the specified course ''' email = request.POST.get("email") if not email: msg = { 'Status': 'Failed', 'ErrMsg': _('Please specify an email address.'), } return JsonResponse(msg, 400) # remove leading/trailing whitespace if necessary email = email.strip() # check that logged in user has admin permissions to this course if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME): raise PermissionDenied() user = get_user_by_email(email) # user doesn't exist?!? Return error. if user is None: msg = { 'Status': 'Failed', 'ErrMsg': _("Could not find user by email address '{email}'.").format( email=email), } return JsonResponse(msg, 404) # user exists, but hasn't activated account?!? if not user.is_active: msg = { 'Status': 'Failed', 'ErrMsg': _('User {email} has registered but has not yet activated his/her account.' ).format(email=email), } return JsonResponse(msg, 400) # ok, we're cool to add to the course group add_user_to_course_group(request.user, user, location, STAFF_ROLE_NAME) return JsonResponse({"Status": "OK"})
def test_get_staff(self): # Do this test with staff in 2 different classes. create_all_course_groups(self.creator, self.location) add_user_to_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME) location2 = Location('i4x', 'mitX', '103', 'course', 'test2') staff2 = User.objects.create_user('teststaff2', '*****@*****.**', 'foo') create_all_course_groups(self.creator, location2) add_user_to_course_group(self.creator, staff2, location2, STAFF_ROLE_NAME) self.assertSetEqual({self.staff, staff2, self.creator}, get_users_with_staff_role())
def test_get_instructor(self): # Do this test with creators in 2 different classes. create_all_course_groups(self.creator, self.location) add_user_to_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME) location2 = 'i4x', 'mitX', '103', 'course2', 'test2' creator2 = User.objects.create_user('testcreator2', '*****@*****.**', 'foo') staff2 = User.objects.create_user('teststaff2', '*****@*****.**', 'foo') create_all_course_groups(creator2, location2) add_user_to_course_group(creator2, staff2, location2, STAFF_ROLE_NAME) self.assertSetEqual({self.creator, creator2}, get_users_with_instructor_role())
def test_add_user_to_course_group(self): """ Tests adding user to course group (happy path). """ # Create groups for a new course (and assign instructor role to the creator). self.assertFalse(is_user_in_course_group_role(self.creator, self.location, INSTRUCTOR_ROLE_NAME)) create_all_course_groups(self.creator, self.location) self.assertTrue(is_user_in_course_group_role(self.creator, self.location, INSTRUCTOR_ROLE_NAME)) # Add another user to the staff role. self.assertFalse(is_user_in_course_group_role(self.staff, self.location, STAFF_ROLE_NAME)) self.assertTrue(add_user_to_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME)) self.assertTrue(is_user_in_course_group_role(self.staff, self.location, STAFF_ROLE_NAME))
def test_remove_user_from_course_group(self): """ Tests removing user from course group (happy path). """ create_all_course_groups(self.creator, self.location) self.assertTrue(add_user_to_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME)) self.assertTrue(is_user_in_course_group_role(self.staff, self.location, STAFF_ROLE_NAME)) remove_user_from_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME) self.assertFalse(is_user_in_course_group_role(self.staff, self.location, STAFF_ROLE_NAME)) remove_user_from_course_group(self.creator, self.creator, self.location, INSTRUCTOR_ROLE_NAME) self.assertFalse(is_user_in_course_group_role(self.creator, self.location, INSTRUCTOR_ROLE_NAME))
def test_add_user_to_course_group(self): """ Tests adding user to course group (happy path). """ # Create groups for a new course (and assign instructor role to the creator). self.assertFalse( is_user_in_course_group_role(self.creator, self.location, INSTRUCTOR_ROLE_NAME)) create_all_course_groups(self.creator, self.location) self.assertTrue( is_user_in_course_group_role(self.creator, self.location, INSTRUCTOR_ROLE_NAME)) # Add another user to the staff role. self.assertFalse( is_user_in_course_group_role(self.staff, self.location, STAFF_ROLE_NAME)) self.assertTrue( add_user_to_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME)) self.assertTrue( is_user_in_course_group_role(self.staff, self.location, STAFF_ROLE_NAME))
def test_remove_user_from_course_group(self): """ Tests removing user from course group (happy path). """ create_all_course_groups(self.creator, self.location) self.assertTrue( add_user_to_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME)) self.assertTrue( is_user_in_course_group_role(self.staff, self.location, STAFF_ROLE_NAME)) remove_user_from_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME) self.assertFalse( is_user_in_course_group_role(self.staff, self.location, STAFF_ROLE_NAME)) remove_user_from_course_group(self.creator, self.creator, self.location, INSTRUCTOR_ROLE_NAME) self.assertFalse( is_user_in_course_group_role(self.creator, self.location, INSTRUCTOR_ROLE_NAME))
def course_team_user(request, org, course, name, email): location = Location('i4x', org, course, 'course', name) # check that logged in user has permissions to this item if has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME): # instructors have full permissions pass elif has_access(request.user, location, role=STAFF_ROLE_NAME) and email == request.user.email: # staff can only affect themselves pass else: msg = { "error": _("Insufficient permissions") } return JsonResponse(msg, 400) try: user = User.objects.get(email=email) except: msg = { "error": _("Could not find user by email address '{email}'.").format(email=email), } return JsonResponse(msg, 404) # role hierarchy: "instructor" has more permissions than "staff" (in a course) roles = ["instructor", "staff"] if request.method == "GET": # just return info about the user msg = { "email": user.email, "active": user.is_active, "role": None, } # what's the highest role that this user has? groupnames = set(g.name for g in user.groups.all()) for role in roles: role_groupname = get_course_groupname_for_role(location, role) if role_groupname in groupnames: msg["role"] = role break return JsonResponse(msg) # can't modify an inactive user if not user.is_active: msg = { "error": _('User {email} has registered but has not yet activated his/her account.').format(email=email), } return JsonResponse(msg, 400) # make sure that the role groups exist staff_groupname = get_course_groupname_for_role(location, "staff") staff_group, __ = Group.objects.get_or_create(name=staff_groupname) inst_groupname = get_course_groupname_for_role(location, "instructor") inst_group, __ = Group.objects.get_or_create(name=inst_groupname) if request.method == "DELETE": # remove all roles in this course from this user: but fail if the user # is the last instructor in the course team instructors = set(inst_group.user_set.all()) staff = set(staff_group.user_set.all()) if user in instructors and len(instructors) == 1: msg = { "error": _("You may not remove the last instructor from a course") } return JsonResponse(msg, 400) if user in instructors: user.groups.remove(inst_group) if user in staff: user.groups.remove(staff_group) user.save() return JsonResponse() # all other operations require the requesting user to specify a role if request.META.get("CONTENT_TYPE", "") == "application/json" and request.body: try: payload = json.loads(request.body) except: return JsonResponse({"error": _("malformed JSON")}, 400) try: role = payload["role"] except KeyError: return JsonResponse({"error": _("`role` is required")}, 400) else: if not "role" in request.POST: return JsonResponse({"error": _("`role` is required")}, 400) role = request.POST["role"] if role == "instructor": if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME): msg = { "error": _("Only instructors may create other instructors") } return JsonResponse(msg, 400) add_user_to_course_group(request.user, user, location, role) elif role == "staff": # if we're trying to downgrade a user from "instructor" to "staff", # make sure we have at least one other instructor in the course team. instructors = set(inst_group.user_set.all()) if user in instructors: if len(instructors) == 1: msg = { "error": _("You may not remove the last instructor from a course") } return JsonResponse(msg, 400) remove_user_from_course_group(request.user, user, location, "instructor") add_user_to_course_group(request.user, user, location, role) return JsonResponse()