def check_staff():
"""
Checks for staff access
"""
if perm != 'global':
debug("Deny: invalid permission '%s'", perm)
return ACCESS_DENIED
return ACCESS_GRANTED if GlobalStaff().has_user(user) else ACCESS_DENIED
def _can_access_descriptor_with_milestones(user, descriptor, course_key):
"""
Returns if the object is blocked by an unfulfilled milestone.
Args:
user: the user trying to access this content
descriptor: the object being accessed
course_key: key for the course for this descriptor
"""
if milestones_helpers.get_course_content_milestones(
course_key, str(descriptor.location), 'requires', user.id):
debug("Deny: user has not completed all milestones for content")
return ACCESS_DENIED
else:
return ACCESS_GRANTED
def _dispatch(table, action, user, obj):
"""
Helper: call table[action], raising a nice pretty error if there is no such key.
user and object passed in only for error messages and debugging
"""
if action in table:
result = table[action]()
debug("%s user %s, object %s, action %s",
'ALLOWED' if result else 'DENIED', user,
str(obj.location) if isinstance(obj, XBlock) else str(obj),
action)
return result
raise ValueError("Unknown action for object type '{}': '{}'".format(
type(obj), action))
def _can_enroll_courselike(user, courselike):
"""
Ascertain if the user can enroll in the given courselike object.
Arguments:
user (User): The user attempting to enroll.
courselike (CourseBlock or CourseOverview): The object representing the
course in which the user is trying to enroll.
Returns:
AccessResponse, indicating whether the user can enroll.
"""
# Courselike objects (e.g., course descriptors and CourseOverviews) have an attribute named `id`
# which actually points to a CourseKey. Sigh.
course_key = courselike.id
# If the user appears in CourseEnrollmentAllowed paired with the given course key,
# they may enroll, except if the CEA has already been used by a different user.
# Note that as dictated by the legacy database schema, the filter call includes
# a `course_id` kwarg which requires a CourseKey.
if user is not None and user.is_authenticated:
cea = CourseEnrollmentAllowed.objects.filter(
email=user.email, course_id=course_key).first()
if cea and cea.valid_for_user(user):
return ACCESS_GRANTED
elif cea:
debug(
"Deny: CEA was already consumed by a different user {} and can't be used again by {}"
.format(
cea.user.id,
user.id,
))
return ACCESS_DENIED
if _has_staff_access_to_descriptor(user, courselike, course_key):
return ACCESS_GRANTED
# Access denied when default value of COURSES_INVITE_ONLY set to True
if is_courses_default_invite_only_enabled() or courselike.invitation_only:
debug("Deny: invitation only")
return ACCESS_DENIED
now = datetime.now(UTC)
enrollment_start = courselike.enrollment_start or datetime.min.replace(
tzinfo=UTC)
enrollment_end = courselike.enrollment_end or datetime.max.replace(
tzinfo=UTC)
if enrollment_start < now < enrollment_end:
debug("Allow: in enrollment period")
return ACCESS_GRANTED
return ACCESS_DENIED
def _has_access_to_course(user, access_level, course_key):
"""
Returns True if the given user has access_level (= staff or
instructor) access to the course with the given course_key.
This ensures the user is authenticated and checks if global staff or has
staff / instructor access.
access_level = string, either "staff" or "instructor"
"""
if user is None or (not user.is_authenticated):
debug("Deny: no user or anon user")
return ACCESS_DENIED
if is_masquerading_as_student(user, course_key):
return ACCESS_DENIED
global_staff, staff_access, instructor_access = administrative_accesses_to_course_for_user(
user, course_key)
if global_staff:
debug("Allow: user.is_staff")
return ACCESS_GRANTED
if access_level not in ('staff', 'instructor'):
log.debug(
"Error in access._has_access_to_course access_level=%s unknown",
access_level)
debug("Deny: unknown access level")
return ACCESS_DENIED
if staff_access and access_level == 'staff':
debug("Allow: user has course staff access")
return ACCESS_GRANTED
if instructor_access and access_level in ('staff', 'instructor'):
debug("Allow: user has course instructor access")
return ACCESS_GRANTED
debug("Deny: user did not have correct access")
return ACCESS_DENIED
