def remove_user(request, location): ''' This POST-back view will remove a user - specified by email - from the list of editors for the specified course ''' email = request.POST["email"] # check that logged in user has admin permissions on this course if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME): raise PermissionDenied() user = get_user_by_email(email) if user is None: return create_json_response( 'Could not find user by email address \'{0}\'.'.format(email)) # make sure we're not removing ourselves if user.id == request.user.id: raise PermissionDenied() remove_user_from_course_group(request.user, user, location, STAFF_ROLE_NAME) return create_json_response()
def test_remove_user_from_course_group_permission_denied(self): """ Verifies PermissionDenied if caller of remove_user_from_course_group is not instructor role. """ create_all_course_groups(self.creator, self.location) with self.assertRaises(PermissionDenied): remove_user_from_course_group(self.staff, self.staff, self.location, STAFF_ROLE_NAME)
def remove_user(request, location): ''' This POST-back view will remove a user - specified by email - from the list of editors for the specified course ''' email = request.POST["email"] # check that logged in user has admin permissions on this course if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME): raise PermissionDenied() user = get_user_by_email(email) if user is None: msg = { 'Status': 'Failed', 'ErrMsg': _("Could not find user by email address '{email}'.").format(email=email), } return JsonResponse(msg, 404) # make sure we're not removing ourselves if user.id == request.user.id: raise PermissionDenied() remove_user_from_course_group(request.user, user, location, STAFF_ROLE_NAME) return JsonResponse({"Status": "OK"})
def remove_user(request, location): ''' This POST-back view will remove a user - specified by email - from the list of editors for the specified course ''' email = request.POST["email"] # check that logged in user has admin permissions on this course if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME): raise PermissionDenied() user = get_user_by_email(email) if user is None: msg = { 'Status': 'Failed', 'ErrMsg': _("Could not find user by email address '{email}'.").format( email=email), } return JsonResponse(msg, 404) # make sure we're not removing ourselves if user.id == request.user.id: raise PermissionDenied() remove_user_from_course_group(request.user, user, location, STAFF_ROLE_NAME) return JsonResponse({"Status": "OK"})
def test_remove_user_from_course_group(self): """ Tests removing user from course group (happy path). """ create_all_course_groups(self.creator, self.location) self.assertTrue(add_user_to_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME)) self.assertTrue(is_user_in_course_group_role(self.staff, self.location, STAFF_ROLE_NAME)) remove_user_from_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME) self.assertFalse(is_user_in_course_group_role(self.staff, self.location, STAFF_ROLE_NAME)) remove_user_from_course_group(self.creator, self.creator, self.location, INSTRUCTOR_ROLE_NAME) self.assertFalse(is_user_in_course_group_role(self.creator, self.location, INSTRUCTOR_ROLE_NAME))
def test_remove_user_from_course_group(self): """ Tests removing user from course group (happy path). """ create_all_course_groups(self.creator, self.location) self.assertTrue( add_user_to_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME)) self.assertTrue( is_user_in_course_group_role(self.staff, self.location, STAFF_ROLE_NAME)) remove_user_from_course_group(self.creator, self.staff, self.location, STAFF_ROLE_NAME) self.assertFalse( is_user_in_course_group_role(self.staff, self.location, STAFF_ROLE_NAME)) remove_user_from_course_group(self.creator, self.creator, self.location, INSTRUCTOR_ROLE_NAME) self.assertFalse( is_user_in_course_group_role(self.creator, self.location, INSTRUCTOR_ROLE_NAME))
def course_team_user(request, org, course, name, email): location = Location('i4x', org, course, 'course', name) # check that logged in user has permissions to this item if has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME): # instructors have full permissions pass elif has_access(request.user, location, role=STAFF_ROLE_NAME) and email == request.user.email: # staff can only affect themselves pass else: msg = { "error": _("Insufficient permissions") } return JsonResponse(msg, 400) try: user = User.objects.get(email=email) except: msg = { "error": _("Could not find user by email address '{email}'.").format(email=email), } return JsonResponse(msg, 404) # role hierarchy: "instructor" has more permissions than "staff" (in a course) roles = ["instructor", "staff"] if request.method == "GET": # just return info about the user msg = { "email": user.email, "active": user.is_active, "role": None, } # what's the highest role that this user has? groupnames = set(g.name for g in user.groups.all()) for role in roles: role_groupname = get_course_groupname_for_role(location, role) if role_groupname in groupnames: msg["role"] = role break return JsonResponse(msg) # can't modify an inactive user if not user.is_active: msg = { "error": _('User {email} has registered but has not yet activated his/her account.').format(email=email), } return JsonResponse(msg, 400) # make sure that the role groups exist staff_groupname = get_course_groupname_for_role(location, "staff") staff_group, __ = Group.objects.get_or_create(name=staff_groupname) inst_groupname = get_course_groupname_for_role(location, "instructor") inst_group, __ = Group.objects.get_or_create(name=inst_groupname) if request.method == "DELETE": # remove all roles in this course from this user: but fail if the user # is the last instructor in the course team instructors = set(inst_group.user_set.all()) staff = set(staff_group.user_set.all()) if user in instructors and len(instructors) == 1: msg = { "error": _("You may not remove the last instructor from a course") } return JsonResponse(msg, 400) if user in instructors: user.groups.remove(inst_group) if user in staff: user.groups.remove(staff_group) user.save() return JsonResponse() # all other operations require the requesting user to specify a role if request.META.get("CONTENT_TYPE", "") == "application/json" and request.body: try: payload = json.loads(request.body) except: return JsonResponse({"error": _("malformed JSON")}, 400) try: role = payload["role"] except KeyError: return JsonResponse({"error": _("`role` is required")}, 400) else: if not "role" in request.POST: return JsonResponse({"error": _("`role` is required")}, 400) role = request.POST["role"] if role == "instructor": if not has_access(request.user, location, role=INSTRUCTOR_ROLE_NAME): msg = { "error": _("Only instructors may create other instructors") } return JsonResponse(msg, 400) add_user_to_course_group(request.user, user, location, role) elif role == "staff": # if we're trying to downgrade a user from "instructor" to "staff", # make sure we have at least one other instructor in the course team. instructors = set(inst_group.user_set.all()) if user in instructors: if len(instructors) == 1: msg = { "error": _("You may not remove the last instructor from a course") } return JsonResponse(msg, 400) remove_user_from_course_group(request.user, user, location, "instructor") add_user_to_course_group(request.user, user, location, role) return JsonResponse()