def see_exists(): """ Can see if can enroll, but also if can load it: if user enrolled in a course and now it's past the enrollment period, they should still see it. """ # VS[compat] -- this setting should go away once all courses have # properly configured enrollment_start times (if course should be # staff-only, set enrollment_start far in the future.) if settings.FEATURES.get('ACCESS_REQUIRE_STAFF_FOR_COURSE'): dog_stats_api.increment( DEPRECATION_VSCOMPAT_EVENT, tags=( "location:has_access_course_desc_see_exists", u"course:{}".format(course), ) ) # if this feature is on, only allow courses that have ispublic set to be # seen by non-staff if course.ispublic: debug("Allow: ACCESS_REQUIRE_STAFF_FOR_COURSE and ispublic") return ACCESS_GRANTED return _has_staff_access_to_descriptor(user, course, course.id) return ACCESS_GRANTED if (can_enroll() or can_load()) else ACCESS_DENIED
def see_exists(): """ Can see if can enroll, but also if can load it: if user enrolled in a course and now it's past the enrollment period, they should still see it. """ # VS[compat] -- this setting should go away once all courses have # properly configured enrollment_start times (if course should be # staff-only, set enrollment_start far in the future.) if settings.FEATURES.get('ACCESS_REQUIRE_STAFF_FOR_COURSE'): dog_stats_api.increment( DEPRECATION_VSCOMPAT_EVENT, tags=( "location:has_access_course_desc_see_exists", u"course:{}".format(course), )) # if this feature is on, only allow courses that have ispublic set to be # seen by non-staff if course.ispublic: debug("Allow: ACCESS_REQUIRE_STAFF_FOR_COURSE and ispublic") return ACCESS_GRANTED return _has_staff_access_to_descriptor(user, course, course.id) return ACCESS_GRANTED if (can_enroll() or can_load()) else ACCESS_DENIED
def check_staff(): """ Checks for staff access """ if perm != 'global': debug("Deny: invalid permission '%s'", perm) return ACCESS_DENIED return ACCESS_GRANTED if GlobalStaff().has_user(user) else ACCESS_DENIED
def _can_access_descriptor_with_milestones(user, descriptor, course_key): """ Returns if the object is blocked by an unfulfilled milestone. Args: user: the user trying to access this content descriptor: the object being accessed course_key: key for the course for this descriptor """ if milestones_helpers.get_course_content_milestones(course_key, unicode(descriptor.location), 'requires', user.id): debug("Deny: user has not completed all milestones for content") return ACCESS_DENIED else: return ACCESS_GRANTED
def _can_enroll_courselike(user, courselike): """ Ascertain if the user can enroll in the given courselike object. Arguments: user (User): The user attempting to enroll. courselike (CourseDescriptor or CourseOverview): The object representing the course in which the user is trying to enroll. Returns: AccessResponse, indicating whether the user can enroll. """ enrollment_domain = courselike.enrollment_domain # Courselike objects (e.g., course descriptors and CourseOverviews) have an attribute named `id` # which actually points to a CourseKey. Sigh. course_key = courselike.id # If using a registration method to restrict enrollment (e.g., Shibboleth) if settings.FEATURES.get('RESTRICT_ENROLL_BY_REG_METHOD') and enrollment_domain: if user is not None and user.is_authenticated() and \ ExternalAuthMap.objects.filter(user=user, external_domain=enrollment_domain): debug("Allow: external_auth of " + enrollment_domain) reg_method_ok = True else: reg_method_ok = False else: reg_method_ok = True # If the user appears in CourseEnrollmentAllowed paired with the given course key, # they may enroll, except if the CEA has already been used by a different user. # Note that as dictated by the legacy database schema, the filter call includes # a `course_id` kwarg which requires a CourseKey. if user is not None and user.is_authenticated(): cea = CourseEnrollmentAllowed.objects.filter(email=user.email, course_id=course_key).first() if cea and cea.valid_for_user(user): return ACCESS_GRANTED elif cea: debug("Deny: CEA was already consumed by a different user {} and can't be used again by {}".format( cea.user.id, user.id, )) return ACCESS_DENIED if _has_staff_access_to_descriptor(user, courselike, course_key): return ACCESS_GRANTED if courselike.invitation_only: debug("Deny: invitation only") return ACCESS_DENIED now = datetime.now(UTC) enrollment_start = courselike.enrollment_start or datetime.min.replace(tzinfo=UTC) enrollment_end = courselike.enrollment_end or datetime.max.replace(tzinfo=UTC) if reg_method_ok and enrollment_start < now < enrollment_end: debug("Allow: in enrollment period") return ACCESS_GRANTED return ACCESS_DENIED
def _dispatch(table, action, user, obj): """ Helper: call table[action], raising a nice pretty error if there is no such key. user and object passed in only for error messages and debugging """ if action in table: result = table[action]() debug(u"%s user %s, object %s, action %s", 'ALLOWED' if result else 'DENIED', user, text_type(obj.location) if isinstance(obj, XBlock) else str(obj), action) return result raise ValueError(u"Unknown action for object type '{0}': '{1}'".format( type(obj), action))
def _dispatch(table, action, user, obj): """ Helper: call table[action], raising a nice pretty error if there is no such key. user and object passed in only for error messages and debugging """ if action in table: result = table[action]() debug("%s user %s, object %s, action %s", 'ALLOWED' if result else 'DENIED', user, text_type(obj.location) if isinstance(obj, XBlock) else str(obj), action) return result raise ValueError(u"Unknown action for object type '{0}': '{1}'".format( type(obj), action))
def _has_access_to_course(user, access_level, course_key): """ Returns True if the given user has access_level (= staff or instructor) access to the course with the given course_key. This ensures the user is authenticated and checks if global staff or has staff / instructor access. access_level = string, either "staff" or "instructor" """ if user is None or (not user.is_authenticated()): debug("Deny: no user or anon user") return ACCESS_DENIED if is_masquerading_as_student(user, course_key): return ACCESS_DENIED global_staff, staff_access, instructor_access = administrative_accesses_to_course_for_user(user, course_key) if global_staff: debug("Allow: user.is_staff") return ACCESS_GRANTED if access_level not in ('staff', 'instructor'): log.debug("Error in access._has_access_to_course access_level=%s unknown", access_level) debug("Deny: unknown access level") return ACCESS_DENIED if staff_access and access_level == 'staff': debug("Allow: user has course staff access") return ACCESS_GRANTED if instructor_access and access_level in ('staff', 'instructor'): debug("Allow: user has course instructor access") return ACCESS_GRANTED debug("Deny: user did not have correct access") return ACCESS_DENIED
def _has_access_to_course(user, access_level, course_key): """ Returns True if the given user has access_level (= staff or instructor) access to the course with the given course_key. This ensures the user is authenticated and checks if global staff or has staff / instructor access. access_level = string, either "staff" or "instructor" """ if user is None or (not user.is_authenticated()): debug("Deny: no user or anon user") return ACCESS_DENIED if not in_preview_mode() and is_masquerading_as_student(user, course_key): return ACCESS_DENIED if GlobalStaff().has_user(user): debug("Allow: user.is_staff") return ACCESS_GRANTED if access_level not in ('staff', 'instructor'): log.debug("Error in access._has_access_to_course access_level=%s unknown", access_level) debug("Deny: unknown access level") return ACCESS_DENIED staff_access = ( CourseStaffRole(course_key).has_user(user) or OrgStaffRole(course_key.org).has_user(user) ) if staff_access and access_level == 'staff': debug("Allow: user has course staff access") return ACCESS_GRANTED instructor_access = ( CourseInstructorRole(course_key).has_user(user) or OrgInstructorRole(course_key.org).has_user(user) ) if instructor_access and access_level in ('staff', 'instructor'): debug("Allow: user has course instructor access") return ACCESS_GRANTED debug("Deny: user did not have correct access") return ACCESS_DENIED
def _has_access_to_course(user, access_level, course_key): """ Returns True if the given user has access_level (= staff or instructor) access to the course with the given course_key. This ensures the user is authenticated and checks if global staff or has staff / instructor access. access_level = string, either "staff" or "instructor" """ if user is None or (not user.is_authenticated()): debug("Deny: no user or anon user") return ACCESS_DENIED if is_masquerading_as_student(user, course_key): return ACCESS_DENIED global_staff, staff_access, instructor_access = administrative_accesses_to_course_for_user( user, course_key) if global_staff: debug("Allow: user.is_staff") return ACCESS_GRANTED if access_level not in ('staff', 'instructor'): log.debug( "Error in access._has_access_to_course access_level=%s unknown", access_level) debug("Deny: unknown access level") return ACCESS_DENIED org_user = OrganizationUser.objects.filter( active=True, organization__short_name=course_key.org, user_id=user.id).values().first() staff_access = (CourseStaffRole(course_key).has_user(user) or OrgStaffRole(course_key.org).has_user(user) or (org_user and org_user['is_staff'])) if staff_access and access_level == 'staff': debug("Allow: user has course staff access") return ACCESS_GRANTED if instructor_access and access_level in ('staff', 'instructor'): debug("Allow: user has course instructor access") return ACCESS_GRANTED debug("Deny: user did not have correct access") return ACCESS_DENIED