diff --git a/lms/djangoapps/instructor/views/api.py b/lms/djangoapps/instructor/views/api.py index 323d9a344c7..d3ccfe10ce1 100644 --- a/lms/djangoapps/instructor/views/api.py +++ b/lms/djangoapps/instructor/views/api.py @@ -119,7 +119,7 @@ from openedx.core.djangoapps.site_configuration import helpers as configuration_helpers from openedx.core.djangoapps.user_api.preferences.api import get_user_preference from openedx.core.djangolib.markup import HTML, Text -from openedx.core.lib.api.authentication import BearerAuthenticationAllowInactiveUser, BearerAuthentication +from openedx.core.lib.api.authentication import BearerAuthentication, BearerAuthenticationAllowInactiveUser from rest_framework.authentication import SessionAuthentication from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin, view_auth_classes from openedx.core.lib.courses import get_course_by_id @@ -233,6 +233,30 @@ def wrapped(*args, **kwargs): return decorator +def verify_course_permission(permission): + """ + Decorator with argument that requires a specific permission of the requesting + user. If the requirement is not satisfied, returns an + HttpResponseForbidden (403). + Assumes that request is in self. + Assumes that course_id is in kwargs['course_id']. + """ + + def decorator(func): + def wrapped(self, *args, **kwargs): + request = self.request + course = get_course_by_id(CourseKey.from_string(kwargs['course_id'])) + + if request.user.has_perm(permission, course): + return func(self, *args, **kwargs) + else: + return HttpResponseForbidden() + + return wrapped + + return decorator + + def require_sales_admin(func): """ Decorator for checking sales administrator access before executing an HTTP endpoint. This decorator @@ -1121,6 +1145,7 @@ def post(self, request, course_id): return Response(response_payload, status=status.HTTP_200_OK) + class ProblemResponseReportPostParamsSerializer(serializers.Serializer): # pylint: disable=abstract-method """ Serializer that describes that POST parameters for the report generation API.