def _has_access_to_course(user, access_level, course_key):
"""
Returns True if the given user has access_level (= staff or
instructor) access to the course with the given course_key.
This ensures the user is authenticated and checks if global staff or has
staff / instructor access.
access_level = string, either "staff" or "instructor"
"""
if user is None or (not user.is_authenticated()):
debug("Deny: no user or anon user")
return ACCESS_DENIED
if not in_preview_mode() and is_masquerading_as_student(user, course_key):
return ACCESS_DENIED
if GlobalStaff().has_user(user):
debug("Allow: user.is_staff")
return ACCESS_GRANTED
if access_level not in ('staff', 'instructor'):
log.debug("Error in access._has_access_to_course access_level=%s unknown", access_level)
debug("Deny: unknown access level")
return ACCESS_DENIED
staff_access = (
CourseStaffRole(course_key).has_user(user) or
OrgStaffRole(course_key.org).has_user(user)
)
if staff_access and access_level == 'staff':
debug("Allow: user has course staff access")
return ACCESS_GRANTED
instructor_access = (
CourseInstructorRole(course_key).has_user(user) or
OrgInstructorRole(course_key.org).has_user(user)
)
if instructor_access and access_level in ('staff', 'instructor'):
debug("Allow: user has course instructor access")
return ACCESS_GRANTED
debug("Deny: user did not have correct access")
return ACCESS_DENIED
def _has_access_to_course(user, access_level, course_key):
"""
Returns True if the given user has access_level (= staff or
instructor) access to the course with the given course_key.
This ensures the user is authenticated and checks if global staff or has
staff / instructor access.
access_level = string, either "staff" or "instructor"
"""
if user is None or (not user.is_authenticated()):
debug("Deny: no user or anon user")
return ACCESS_DENIED
if not in_preview_mode() and is_masquerading_as_student(user, course_key):
return ACCESS_DENIED
if GlobalStaff().has_user(user):
debug("Allow: user.is_staff")
return ACCESS_GRANTED
if access_level not in ('staff', 'instructor'):
log.debug("Error in access._has_access_to_course access_level=%s unknown", access_level)
debug("Deny: unknown access level")
return ACCESS_DENIED
staff_access = (
CourseStaffRole(course_key).has_user(user) or
OrgStaffRole(course_key.org).has_user(user)
)
if staff_access and access_level == 'staff':
debug("Allow: user has course staff access")
return ACCESS_GRANTED
instructor_access = (
CourseInstructorRole(course_key).has_user(user) or
OrgInstructorRole(course_key.org).has_user(user)
)
if instructor_access and access_level in ('staff', 'instructor'):
debug("Allow: user has course instructor access")
return ACCESS_GRANTED
debug("Deny: user did not have correct access")
return ACCESS_DENIED
def has_access(user, action, obj, course_key=None):
"""
Check whether a user has the access to do action on obj. Handles any magic
switching based on various settings.
Things this module understands:
- start dates for modules
- visible_to_staff_only for modules
- DISABLE_START_DATES
- different access for instructor, staff, course staff, and students.
- mobile_available flag for course modules
user: a Django user object. May be anonymous. If none is passed,
anonymous is assumed
obj: The object to check access for. A module, descriptor, location, or
certain special strings (e.g. 'global')
action: A string specifying the action that the client is trying to perform.
actions depend on the obj type, but include e.g. 'enroll' for courses. See the
type-specific functions below for the known actions for that type.
course_key: A course_key specifying which course run this access is for.
Required when accessing anything other than a CourseDescriptor, 'global',
or a location with category 'course'
Returns an AccessResponse object. It is up to the caller to actually
deny access in a way that makes sense in context.
"""
# Just in case user is passed in as None, make them anonymous
if not user:
user = AnonymousUser()
# Preview mode is only accessible by staff.
if in_preview_mode() and course_key:
if not has_staff_access_to_preview_mode(user, course_key):
return ACCESS_DENIED
# delegate the work to type-specific functions.
# (start with more specific types, then get more general)
if isinstance(obj, CourseDescriptor):
return _has_access_course(user, action, obj)
if isinstance(obj, CourseOverview):
return _has_access_course(user, action, obj)
if isinstance(obj, ErrorDescriptor):
return _has_access_error_desc(user, action, obj, course_key)
if isinstance(obj, XModule):
return _has_access_xmodule(user, action, obj, course_key)
# NOTE: any descriptor access checkers need to go above this
if isinstance(obj, XBlock):
return _has_access_descriptor(user, action, obj, course_key)
if isinstance(obj, CourseKey):
return _has_access_course_key(user, action, obj)
if isinstance(obj, UsageKey):
return _has_access_location(user, action, obj, course_key)
if isinstance(obj, basestring):
return _has_access_string(user, action, obj)
# Passing an unknown object here is a coding error, so rather than
# returning a default, complain.
raise TypeError("Unknown object type in has_access(): '{0}'"
.format(type(obj)))
