def test_is_publisher_user(self):
""" Verify the function returns a boolean indicating if the user
is part of any publisher app group.
"""
self.assertFalse(is_publisher_user(self.user))
self.user.groups.add(Group.objects.get(name=REVIEWER_GROUP_NAME))
self.assertTrue(is_publisher_user(self.user))
def test_is_publisher_user(self):
"""
Verify the function returns a boolean indicating if the user is part of any publisher app group.
"""
assert not is_publisher_user(self.user)
self.user.groups.add(factories.GroupFactory())
assert is_publisher_user(self.user)
def get_queryset(self):
""" List one course run
---
parameters:
- name: include_deleted_programs
description: Will include deleted programs in the associated programs array
required: false
type: integer
paramType: query
multiple: false
"""
q = self.request.query_params.get('q')
partner = self.request.site.partner
edit_mode = get_query_param(self.request, 'editable') or self.request.method not in SAFE_METHODS
if edit_mode and q:
raise EditableAndQUnsupported()
if edit_mode and (not self.request.user.is_staff and not is_publisher_user(self.request.user)):
raise PermissionDenied
if edit_mode:
queryset = CourseRun.objects.filter_drafts()
queryset = CourseEditor.editable_course_runs(self.request.user, queryset)
else:
queryset = self.queryset
if q:
qs = SearchQuerySetWrapper(CourseRun.search(q).filter(partner=partner.short_code))
# This is necessary to avoid issues with the filter backend.
qs.model = self.queryset.model
return qs
queryset = queryset.filter(course__partner=partner)
return self.get_serializer_class().prefetch_queryset(queryset=queryset)
def get_queryset(self):
partner = self.request.site.partner
q = self.request.query_params.get('q')
# We don't want to create an additional elasticsearch index right now for draft courses, so we
# try to implement a basic search behavior with this pubq parameter here against key and name.
pub_q = self.request.query_params.get('pubq')
edit_method = self.request.method not in SAFE_METHODS
edit_mode = get_query_param(self.request, 'editable') or edit_method
if edit_mode and q:
raise EditableAndQUnsupported()
if edit_mode and (not self.request.user.is_staff and not is_publisher_user(self.request.user)):
raise PermissionDenied
if edit_mode:
# Start with either draft versions or real versions of the courses
queryset = Course.objects.filter_drafts()
queryset = CourseEditor.editable_courses(self.request.user, queryset, check_editors=edit_method)
else:
queryset = self.queryset
if q:
queryset = Course.search(q, queryset=queryset)
queryset = self.get_serializer_class().prefetch_queryset(queryset=queryset, partner=partner)
else:
if edit_mode:
course_runs = CourseRun.objects.filter_drafts(course__partner=partner)
else:
course_runs = CourseRun.objects.filter(course__partner=partner)
if not get_query_param(self.request, 'include_hidden_course_runs'):
course_runs = course_runs.exclude(hidden=True)
if get_query_param(self.request, 'marketable_course_runs_only'):
course_runs = course_runs.marketable().active()
if get_query_param(self.request, 'marketable_enrollable_course_runs_with_archived'):
course_runs = course_runs.marketable().enrollable()
if get_query_param(self.request, 'published_course_runs_only'):
course_runs = course_runs.filter(status=CourseRunStatus.Published)
if get_query_param(self.request, 'include_deleted_programs'):
programs = Program.objects.all()
else:
programs = Program.objects.exclude(status=ProgramStatus.Deleted)
queryset = self.get_serializer_class().prefetch_queryset(
queryset=queryset,
course_runs=course_runs,
partner=partner,
programs=programs,
)
if pub_q and edit_mode:
return queryset.filter(Q(key__icontains=pub_q) | Q(title__icontains=pub_q)).order_by(Lower('key'))
return queryset.order_by(Lower('key'))
def allow_request(self, request, view):
user = request.user
if user and user.is_authenticated:
if user.is_superuser or user.is_staff or is_publisher_user(user):
return True
try:
# Override this throttle's rate if applicable
user_throttle = UserThrottleRate.objects.get(user=user)
self.rate = user_throttle.rate
self.num_requests, self.duration = self.parse_rate(self.rate)
except UserThrottleRate.DoesNotExist:
pass
return super(OverridableUserRateThrottle, self).allow_request(request, view)
def allow_request(self, request, view):
user = request.user
if user and user.is_authenticated:
try:
# Override this throttle's rate if applicable
user_throttle = UserThrottleRate.objects.get(user=user)
self.rate = user_throttle.rate
self.num_requests, self.duration = self.parse_rate(self.rate)
except UserThrottleRate.DoesNotExist:
# If we don't have a custom user override, skip throttling if they are a privileged user
if user.is_superuser or user.is_staff or is_publisher_user(
user):
return True
return super().allow_request(request, view)
def has_object_permission(self, request, view, obj):
return is_publisher_user(request.user)
def has_permission(self, request, view):
return request.user.is_staff or is_publisher_user(request.user)
def wrapped(request, *args, **kwargs):
if is_publisher_user(request.user):
return func(request, *args, **kwargs)
else:
return HttpResponseForbidden(u"Must be Publisher user to perform this action.")
def wrapped(request, *args, **kwargs): # pylint: disable=missing-docstring
if is_publisher_user(request.user):
return func(request, *args, **kwargs)
else:
return HttpResponseForbidden(u"Must be Publisher user to perform this action.")
