def get_user_permissions(user, course_key, org=None): """ Get the bitmask of permissions that this user has in the given course context. Can also set course_key=None and pass in an org to get the user's permissions for that organization as a whole. """ if org is None: org = course_key.org course_key = course_key.for_branch(None) else: assert course_key is None # No one has studio permissions for CCX courses if is_ccx_course(course_key): return STUDIO_NO_PERMISSIONS all_perms = STUDIO_EDIT_ROLES | STUDIO_VIEW_USERS | STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT # global staff, org instructors, and course instructors have all permissions: if GlobalStaff().has_user(user) or OrgInstructorRole( org=org).has_user(user): return all_perms if course_key and user_has_role(user, CourseInstructorRole(course_key)): return all_perms if course_key and user_has_role(user, GlobalCourseCreatorRole(org)): return all_perms # Staff have all permissions except EDIT_ROLES: if OrgStaffRole(org=org).has_user(user) or (course_key and user_has_role( user, CourseStaffRole(course_key))): return STUDIO_VIEW_USERS | STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT # Otherwise, for libraries, users can view only: if course_key and isinstance(course_key, LibraryLocator): if OrgLibraryUserRole(org=org).has_user(user) or user_has_role( user, LibraryUserRole(course_key)): return STUDIO_VIEW_USERS | STUDIO_VIEW_CONTENT return STUDIO_NO_PERMISSIONS
def get_user_permissions(user, course_key, org=None): """ Get the bitmask of permissions that this user has in the given course context. Can also set course_key=None and pass in an org to get the user's permissions for that organization as a whole. """ if org is None: org = course_key.org course_key = course_key.for_branch(None) else: assert course_key is None # No one has studio permissions for CCX courses if is_ccx_course(course_key): return STUDIO_NO_PERMISSIONS all_perms = STUDIO_EDIT_ROLES | STUDIO_VIEW_USERS | STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT # global staff, org instructors, and course instructors have all permissions: if GlobalStaff().has_user(user) or OrgInstructorRole( org=org).has_user(user): return all_perms if course_key and user_has_role(user, CourseInstructorRole(course_key)): return all_perms # Staff have all permissions except EDIT_ROLES: if OrgStaffRole(org=org).has_user(user) or (course_key and user_has_role( user, CourseStaffRole(course_key))): return STUDIO_VIEW_USERS | STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT # Otherwise, for libraries, users can view only: if course_key and isinstance(course_key, LibraryLocator): if OrgLibraryUserRole(org=org).has_user(user) or user_has_role( user, LibraryUserRole(course_key)): return STUDIO_VIEW_USERS | STUDIO_VIEW_CONTENT # Finally, check if user is linked directly to the organization: user_org = OrganizationUser.objects.filter( active=True, organization__short_name=org, user_id=user.id).values().first() if user_org: if user_org['is_staff']: return all_perms else: return STUDIO_EDIT_CONTENT | STUDIO_VIEW_CONTENT return STUDIO_NO_PERMISSIONS
def test_read_only_role(self, use_org_level_role): """ Test the read-only role (LibraryUserRole and its org-level equivalent) """ # As staff user, add a block to self.library: block = self._add_simple_content_block() # Login as a non_staff_user: self._login_as_non_staff_user() self.assertFalse(self._can_access_library(self.library)) block_url = reverse_usage_url('xblock_handler', block.location) def can_read_block(): """ Check if studio lets us view the XBlock in the library """ response = self.client.get_json(block_url) self.assertIn(response.status_code, (200, 403)) # 400 would be ambiguous return response.status_code == 200 def can_edit_block(): """ Check if studio lets us edit the XBlock in the library """ response = self.client.ajax_post(block_url) self.assertIn(response.status_code, (200, 403)) # 400 would be ambiguous return response.status_code == 200 def can_delete_block(): """ Check if studio lets us delete the XBlock in the library """ response = self.client.delete(block_url) self.assertIn(response.status_code, (200, 403)) # 400 would be ambiguous return response.status_code == 200 def can_copy_block(): """ Check if studio lets us duplicate the XBlock in the library """ response = self.client.ajax_post( reverse_url('xblock_handler'), { 'parent_locator': unicode(self.library.location), 'duplicate_source_locator': unicode(block.location), }) self.assertIn(response.status_code, (200, 403)) # 400 would be ambiguous return response.status_code == 200 def can_create_block(): """ Check if studio lets us make a new XBlock in the library """ response = self.client.ajax_post( reverse_url('xblock_handler'), { 'parent_locator': unicode(self.library.location), 'category': 'html', }) self.assertIn(response.status_code, (200, 403)) # 400 would be ambiguous return response.status_code == 200 # Check that we do not have read or write access to block: self.assertFalse(can_read_block()) self.assertFalse(can_edit_block()) self.assertFalse(can_delete_block()) self.assertFalse(can_copy_block()) self.assertFalse(can_create_block()) # Give non_staff_user read-only permission: if use_org_level_role: OrgLibraryUserRole(self.lib_key.org).add_users(self.non_staff_user) else: LibraryUserRole(self.lib_key).add_users(self.non_staff_user) self.assertTrue(self._can_access_library(self.library)) self.assertTrue(can_read_block()) self.assertFalse(can_edit_block()) self.assertFalse(can_delete_block()) self.assertFalse(can_copy_block()) self.assertFalse(can_create_block())
def set_roles_for_edx_users(user, permissions, strategy): ''' This function is specific functional for open-edx platform. It create roles for edx users from sso permissions. ''' log_message = 'For User: {}, object_type {} and object_id {} there is not matched Role for Permission set: {}' global_perm = { 'Read', 'Update', 'Delete', 'Publication', 'Enroll', 'Manage(permissions)' } staff_perm = {'Read', 'Update', 'Delete', 'Publication', 'Enroll'} tester_perm = {'Read', 'Enroll'} role_ids = set(user.courseaccessrole_set.values_list('id', flat=True)) new_role_ids = [] is_global_staff = False for role in permissions: _log = False if role['obj_type'] == '*': if '*' in role['obj_perm'] or global_perm.issubset( set(role['obj_perm'])): GlobalStaff().add_users(user) is_global_staff = True elif 'Create' in role['obj_perm']: if not CourseCreatorRole().has_user(user): CourseCreatorRole().add_users(user) car = CourseAccessRole.objects.get(user=user, role=CourseCreatorRole.ROLE) new_role_ids.append(car.id) if role['obj_perm'] != '*' and global_perm != set( role['obj_perm']) and ['Create'] != role['obj_perm']: _log = True elif role['obj_type'] == 'edxorg': if '*' in role['obj_perm'] or global_perm.issubset( set(role['obj_perm'])): if not OrgInstructorRole(role['obj_id']).has_user(user): OrgInstructorRole(role['obj_id']).add_users(user) car = CourseAccessRole.objects.get( user=user, role=OrgInstructorRole(role['obj_id'])._role_name, org=role['obj_id']) new_role_ids.append(car.id) elif staff_perm.issubset(set(role['obj_perm'])): if not OrgStaffRole(role['obj_id']).has_user(user): OrgStaffRole(role['obj_id']).add_users(user) car = CourseAccessRole.objects.get( user=user, role=OrgStaffRole(role['obj_id'])._role_name, org=role['obj_id']) new_role_ids.append(car.id) elif 'Read' in role['obj_perm']: if not OrgLibraryUserRole(role['obj_id']).has_user(user): OrgLibraryUserRole(role['obj_id']).add_users(user) car = CourseAccessRole.objects.get( user=user, role=OrgLibraryUserRole.ROLE, org=role['obj_id']) new_role_ids.append(car.id) if role['obj_perm'] != '*' and global_perm != set(role['obj_perm']) and \ staff_perm != set(role['obj_perm']) and 'Read' not in role['obj_perm']: _log = True elif role['obj_type'] in ['edxcourse', 'edxlibrary']: course_key = CourseKey.from_string(role['obj_id']) if '*' in role['obj_perm'] or global_perm.issubset( set(role['obj_perm'])): if not CourseInstructorRole(course_key).has_user(user): CourseInstructorRole(course_key).add_users(user) car = CourseAccessRole.objects.get( user=user, role=CourseInstructorRole.ROLE, course_id=course_key) new_role_ids.append(car.id) elif staff_perm.issubset(set(role['obj_perm'])): if not CourseStaffRole(course_key).has_user(user): CourseStaffRole(course_key).add_users(user) car = CourseAccessRole.objects.get(user=user, role=CourseStaffRole.ROLE, course_id=course_key) new_role_ids.append(car.id) elif tester_perm.issubset(set(role['obj_perm'])): if not CourseBetaTesterRole(course_key).has_user(user): CourseBetaTesterRole(course_key).add_users(user) car = CourseAccessRole.objects.get( user=user, role=CourseBetaTesterRole.ROLE, course_id=course_key) new_role_ids.append(car.id) elif role['obj_type'] == 'edxlibrary' and 'Read' in role[ 'obj_perm']: if not LibraryUserRole(course_key).has_user(user): LibraryUserRole(course_key).add_users(user) car = CourseAccessRole.objects.get( user=user, role=CourseBetaTesterRole.ROLE, course_id=course_key) new_role_ids.append(car.id) if role['obj_perm'] != '*' and global_perm != set(role['obj_perm']) and \ staff_perm != set(role['obj_perm']) and tester_perm != set(role['obj_perm']) and 'Read' not in role['obj_perm']: _log = True elif role['obj_type'] == 'edxcourserun': course_key = CourseKey.from_string(role['obj_id']) if '*' in role['obj_perm'] or global_perm.issubset( set(role['obj_perm'])): if not CourseInstructorRole(course_key).has_user(user): CourseInstructorRole(course_key).add_users(user) car = CourseAccessRole.objects.get( user=user, role=CourseInstructorRole.ROLE, course_id=course_key) new_role_ids.append(car.id) elif staff_perm.issubset(set(role['obj_perm'])): if not CourseStaffRole(course_key).has_user(user): CourseStaffRole(course_key).add_users(user) car = CourseAccessRole.objects.get(user=user, role=CourseStaffRole.ROLE, course_id=course_key) new_role_ids.append(car.id) elif tester_perm.issubset(set(role['obj_perm'])): if not CourseBetaTesterRole(course_key).has_user(user): CourseBetaTesterRole(course_key).add_users(user) car = CourseAccessRole.objects.get( user=user, role=CourseBetaTesterRole.ROLE, course_id=course_key) new_role_ids.append(car.id) if role['obj_perm'] != '*' and global_perm != set(role['obj_perm']) and \ staff_perm != set(role['obj_perm']) and tester_perm != set(role['obj_perm']): _log = True if _log: logging.warning( log_message.format(user.id, role['obj_type'], role['obj_id'], str(role['obj_perm']))) if (not is_global_staff) and GlobalStaff().has_user(user): GlobalStaff().remove_users(user) remove_roles = role_ids - set(new_role_ids) if remove_roles: entries = CourseAccessRole.objects.filter(id__in=list(remove_roles)) entries.delete()