def check_staff(): """ Checks for staff access """ if perm != 'global': debug("Deny: invalid permission '%s'", perm) return ACCESS_DENIED return ACCESS_GRANTED if GlobalStaff().has_user(user) else ACCESS_DENIED
def _can_access_descriptor_with_milestones(user, descriptor, course_key): """ Returns if the object is blocked by an unfulfilled milestone. Args: user: the user trying to access this content descriptor: the object being accessed course_key: key for the course for this descriptor """ if milestones_helpers.get_course_content_milestones( course_key, str(descriptor.location), 'requires', user.id): debug("Deny: user has not completed all milestones for content") return ACCESS_DENIED else: return ACCESS_GRANTED
def _dispatch(table, action, user, obj): """ Helper: call table[action], raising a nice pretty error if there is no such key. user and object passed in only for error messages and debugging """ if action in table: result = table[action]() debug("%s user %s, object %s, action %s", 'ALLOWED' if result else 'DENIED', user, str(obj.location) if isinstance(obj, XBlock) else str(obj), action) return result raise ValueError("Unknown action for object type '{}': '{}'".format( type(obj), action))
def _can_enroll_courselike(user, courselike): """ Ascertain if the user can enroll in the given courselike object. Arguments: user (User): The user attempting to enroll. courselike (CourseBlock or CourseOverview): The object representing the course in which the user is trying to enroll. Returns: AccessResponse, indicating whether the user can enroll. """ # Courselike objects (e.g., course descriptors and CourseOverviews) have an attribute named `id` # which actually points to a CourseKey. Sigh. course_key = courselike.id # If the user appears in CourseEnrollmentAllowed paired with the given course key, # they may enroll, except if the CEA has already been used by a different user. # Note that as dictated by the legacy database schema, the filter call includes # a `course_id` kwarg which requires a CourseKey. if user is not None and user.is_authenticated: cea = CourseEnrollmentAllowed.objects.filter( email=user.email, course_id=course_key).first() if cea and cea.valid_for_user(user): return ACCESS_GRANTED elif cea: debug( "Deny: CEA was already consumed by a different user {} and can't be used again by {}" .format( cea.user.id, user.id, )) return ACCESS_DENIED if _has_staff_access_to_descriptor(user, courselike, course_key): return ACCESS_GRANTED # Access denied when default value of COURSES_INVITE_ONLY set to True if is_courses_default_invite_only_enabled() or courselike.invitation_only: debug("Deny: invitation only") return ACCESS_DENIED now = datetime.now(UTC) enrollment_start = courselike.enrollment_start or datetime.min.replace( tzinfo=UTC) enrollment_end = courselike.enrollment_end or datetime.max.replace( tzinfo=UTC) if enrollment_start < now < enrollment_end: debug("Allow: in enrollment period") return ACCESS_GRANTED return ACCESS_DENIED
def _has_access_to_course(user, access_level, course_key): """ Returns True if the given user has access_level (= staff or instructor) access to the course with the given course_key. This ensures the user is authenticated and checks if global staff or has staff / instructor access. access_level = string, either "staff" or "instructor" """ if user is None or (not user.is_authenticated): debug("Deny: no user or anon user") return ACCESS_DENIED if is_masquerading_as_student(user, course_key): return ACCESS_DENIED global_staff, staff_access, instructor_access = administrative_accesses_to_course_for_user( user, course_key) if global_staff: debug("Allow: user.is_staff") return ACCESS_GRANTED if access_level not in ('staff', 'instructor'): log.debug( "Error in access._has_access_to_course access_level=%s unknown", access_level) debug("Deny: unknown access level") return ACCESS_DENIED if staff_access and access_level == 'staff': debug("Allow: user has course staff access") return ACCESS_GRANTED if instructor_access and access_level in ('staff', 'instructor'): debug("Allow: user has course instructor access") return ACCESS_GRANTED debug("Deny: user did not have correct access") return ACCESS_DENIED