def delete(self, request, course_key_string): course_key = CourseKey.from_string(course_key_string) email = request.data.get("email", None) validate_param_exist(email, "email") try: user = User.objects.get(email=email) except Exception: # pylint: disable=broad-except msg = { "error": "Could not find user by email address '{email}'".format( email=email) } return Response(msg, 404) auth.get_user_permissions(request.user, course_key) auth.remove_users(request.user, CourseStaffRole(course_key), user) auth.remove_users(request.user, CourseInstructorRole(course_key), user) CourseEnrollment.unenroll(user, course_key) msg = "'{email}''s permissions are revoked from '{course_key}'".format( email=email, course_key=course_key) log.info(msg) return Response( {'message': "User is removed from {}.".format(course_key)})
def _manage_users(request, course_key): """ This view will return all CMS users who are editors for the specified course """ # check that logged in user has permissions to this item user_perms = get_user_permissions(request.user, course_key) if not user_perms & STUDIO_VIEW_USERS: raise PermissionDenied() course_module = modulestore().get_course(course_key) instructors = set(CourseInstructorRole(course_key).users_with_role()) # the page only lists staff and assumes they're a superset of instructors. Do a union to ensure. staff = set( CourseStaffRole(course_key).users_with_role()).union(instructors) formatted_users = [] for user in instructors: formatted_users.append(user_with_role(user, 'instructor')) for user in staff - instructors: formatted_users.append(user_with_role(user, 'staff')) return render_to_response( 'manage_users.html', { 'context_course': course_module, 'show_transfer_ownership_hint': request.user in instructors and len(instructors) == 1, 'users': formatted_users, 'allow_actions': bool(user_perms & STUDIO_EDIT_ROLES), })
def manage_library_users(request, library_key_string): """ Studio UI for editing the users within a library. Uses the /course_team/:library_key/:user_email/ REST API to make changes. """ library_key = CourseKey.from_string(library_key_string) if not isinstance(library_key, LibraryLocator): raise Http404 # This is not a library user_perms = get_user_permissions(request.user, library_key) if not user_perms & STUDIO_VIEW_USERS: raise PermissionDenied() library = modulestore().get_library(library_key) if library is None: raise Http404 # Segment all the users explicitly associated with this library, ensuring each user only has one role listed: instructors = set(CourseInstructorRole(library_key).users_with_role()) staff = set(CourseStaffRole(library_key).users_with_role()) - instructors users = set( LibraryUserRole(library_key).users_with_role()) - instructors - staff formatted_users = [] for user in instructors: formatted_users.append(user_with_role(user, 'instructor')) for user in staff: formatted_users.append(user_with_role(user, 'staff')) for user in users: formatted_users.append(user_with_role(user, 'library_user')) return render_to_response( 'manage_users_lib.html', { 'context_library': library, 'users': formatted_users, 'allow_actions': bool(user_perms & STUDIO_EDIT_ROLES), 'library_key': str(library_key), 'lib_users_url': reverse_library_url('manage_library_users', library_key_string), 'show_children_previews': library.show_children_previews })
def _course_team_user(request, course_key, email): """ Handle the add, remove, promote, demote requests ensuring the requester has authority """ # check that logged in user has permissions to this item requester_perms = get_user_permissions(request.user, course_key) permissions_error_response = JsonResponse( {"error": _("Insufficient permissions")}, 403) if (requester_perms & STUDIO_VIEW_USERS) or (email == request.user.email): # This user has permissions to at least view the list of users or is editing themself pass else: # This user is not even allowed to know who the authorized users are. return permissions_error_response try: user = User.objects.get(email=email) except Exception: # pylint: disable=broad-except msg = { "error": _("Could not find user by email address '{email}'.").format( email=email), } return JsonResponse(msg, 404) is_library = isinstance(course_key, LibraryLocator) # Ordered list of roles: can always move self to the right, but need STUDIO_EDIT_ROLES to move any user left if is_library: role_hierarchy = (CourseInstructorRole, CourseStaffRole, LibraryUserRole) else: role_hierarchy = (CourseInstructorRole, CourseStaffRole) if request.method == "GET": # just return info about the user msg = { "email": user.email, "active": user.is_active, "role": None, } # what's the highest role that this user has? (How should this report global staff?) for role in role_hierarchy: if role(course_key).has_user(user): msg["role"] = role.ROLE break return JsonResponse(msg) # All of the following code is for editing/promoting/deleting users. # Check that the user has STUDIO_EDIT_ROLES permission or is editing themselves: if not ((requester_perms & STUDIO_EDIT_ROLES) or (user.id == request.user.id)): return permissions_error_response if request.method == "DELETE": new_role = None else: # only other operation supported is to promote/demote a user by changing their role: # role may be None or "" (equivalent to a DELETE request) but must be set. # Check that the new role was specified: if "role" in request.json or "role" in request.POST: new_role = request.json.get("role", request.POST.get("role")) else: return JsonResponse({"error": _("No `role` specified.")}, 400) # can't modify an inactive user but can remove it if not (user.is_active or new_role is None): msg = { "error": _('User {email} has registered but has not yet activated their account.' ).format(email=email), } return JsonResponse(msg, 400) old_roles = set() role_added = False for role_type in role_hierarchy: role = role_type(course_key) if role_type.ROLE == new_role: if (requester_perms & STUDIO_EDIT_ROLES) or (user.id == request.user.id and old_roles): # User has STUDIO_EDIT_ROLES permission or # is currently a member of a higher role, and is thus demoting themself auth.add_users(request.user, role, user) role_added = True else: return permissions_error_response elif role.has_user(user, check_user_activation=False): # pylint: disable=no-value-for-parameter # Remove the user from this old role: old_roles.add(role) if new_role and not role_added: return JsonResponse({"error": _("Invalid `role` specified.")}, 400) for role in old_roles: if isinstance( role, CourseInstructorRole) and role.users_with_role().count() == 1: msg = { "error": _("You may not remove the last Admin. Add another Admin first." ) } return JsonResponse(msg, 400) auth.remove_users(request.user, role, user) if new_role and not is_library: # The user may be newly added to this course. # auto-enroll the user in the course so that "View Live" will work. CourseEnrollment.enroll(user, course_key) return JsonResponse()