def test_revoke_twice(self): user = self.moderators[0] update_forum_role_membership(self.course.id, user, FORUM_ROLE_MODERATOR, 'revoke') self.assertNotIn(user, self.mod_role.users.all()) update_forum_role_membership(self.course.id, user, FORUM_ROLE_MODERATOR, 'revoke') self.assertNotIn(user, self.mod_role.users.all())
def test_allow_twice(self): user = UserFactory.create() update_forum_role_membership(self.course.id, user, FORUM_ROLE_MODERATOR, 'allow') self.assertIn(user, self.mod_role.users.all()) update_forum_role_membership(self.course.id, user, FORUM_ROLE_MODERATOR, 'allow') self.assertIn(user, self.mod_role.users.all())
def update_forum_role_membership(request, course_id): """ Modify user's forum role. The requesting user must be at least staff. Staff forum admins can access all roles EXCEPT for FORUM_ROLE_ADMINISTRATOR which is limited to instructors. No one can revoke an instructors FORUM_ROLE_ADMINISTRATOR status. Query parameters: - `email` is the target users email - `rolename` is one of [FORUM_ROLE_ADMINISTRATOR, FORUM_ROLE_MODERATOR, FORUM_ROLE_COMMUNITY_TA] - `action` is one of ['allow', 'revoke'] """ course = get_course_by_id(course_id) has_instructor_access = has_access(request.user, course, 'instructor') has_forum_admin = has_forum_access(request.user, course_id, FORUM_ROLE_ADMINISTRATOR) email = request.GET.get('email') rolename = request.GET.get('rolename') action = request.GET.get('action') # default roles require either (staff & forum admin) or (instructor) if not (has_forum_admin or has_instructor_access): return HttpResponseBadRequest( "Operation requires staff & forum admin or instructor access") # EXCEPT FORUM_ROLE_ADMINISTRATOR requires (instructor) if rolename == FORUM_ROLE_ADMINISTRATOR and not has_instructor_access: return HttpResponseBadRequest("Operation requires instructor access.") if not rolename in [ FORUM_ROLE_ADMINISTRATOR, FORUM_ROLE_MODERATOR, FORUM_ROLE_COMMUNITY_TA ]: return HttpResponseBadRequest( "Unrecognized rolename '{}'.".format(rolename)) user = User.objects.get(email=email) target_is_instructor = has_access(user, course, 'instructor') # cannot revoke instructor if target_is_instructor and action == 'revoke' and rolename == FORUM_ROLE_ADMINISTRATOR: return HttpResponseBadRequest( "Cannot revoke instructor forum admin privelages.") try: access.update_forum_role_membership(course_id, user, rolename, action) except Role.DoesNotExist: return HttpResponseBadRequest("Role does not exist.") response_payload = { 'course_id': course_id, 'action': action, } return JsonResponse(response_payload)
def update_forum_role_membership(request, course_id): """ Modify user's forum role. The requesting user must be at least staff. Staff forum admins can access all roles EXCEPT for FORUM_ROLE_ADMINISTRATOR which is limited to instructors. No one can revoke an instructors FORUM_ROLE_ADMINISTRATOR status. Query parameters: - `email` is the target users email - `rolename` is one of [FORUM_ROLE_ADMINISTRATOR, FORUM_ROLE_MODERATOR, FORUM_ROLE_COMMUNITY_TA] - `action` is one of ['allow', 'revoke'] """ course = get_course_by_id(course_id) has_instructor_access = has_access(request.user, course, 'instructor') has_forum_admin = has_forum_access( request.user, course_id, FORUM_ROLE_ADMINISTRATOR ) email = request.GET.get('email') rolename = request.GET.get('rolename') action = request.GET.get('action') # default roles require either (staff & forum admin) or (instructor) if not (has_forum_admin or has_instructor_access): return HttpResponseBadRequest( "Operation requires staff & forum admin or instructor access" ) # EXCEPT FORUM_ROLE_ADMINISTRATOR requires (instructor) if rolename == FORUM_ROLE_ADMINISTRATOR and not has_instructor_access: return HttpResponseBadRequest("Operation requires instructor access.") if not rolename in [FORUM_ROLE_ADMINISTRATOR, FORUM_ROLE_MODERATOR, FORUM_ROLE_COMMUNITY_TA]: return HttpResponseBadRequest("Unrecognized rolename '{}'.".format(rolename)) user = User.objects.get(email=email) target_is_instructor = has_access(user, course, 'instructor') # cannot revoke instructor if target_is_instructor and action == 'revoke' and rolename == FORUM_ROLE_ADMINISTRATOR: return HttpResponseBadRequest("Cannot revoke instructor forum admin privelages.") try: access.update_forum_role_membership(course_id, user, rolename, action) except Role.DoesNotExist: return HttpResponseBadRequest("Role does not exist.") response_payload = { 'course_id': course_id, 'action': action, } response = HttpResponse( json.dumps(response_payload), content_type="application/json" ) return response
def test_bad_mode(self): user = UserFactory() update_forum_role_membership(self.course.id, user, FORUM_ROLE_MODERATOR, 'robot-not-a-mode')
def test_revoke_badrole(self): user = self.moderators[0] update_forum_role_membership(self.course.id, user, 'robot-not-a-real-role', 'allow')
def test_revoke_notallowed(self): user = UserFactory() update_forum_role_membership(self.course.id, user, FORUM_ROLE_MODERATOR, 'revoke') self.assertNotIn(user, self.mod_role.users.all())
def test_allow_badrole(self): user = UserFactory.create() update_forum_role_membership(self.course.id, user, 'robot-not-a-real-role', 'allow')