fix: Add permission to migration info view

Author: ChrisChV

cms/djangoapps/modulestore_migrator/rest_api/v1/views.py

@@ -11,12 +11,13 @@
 from rest_framework import status
 from rest_framework.exceptions import ParseError
 from rest_framework.mixins import ListModelMixin
-from rest_framework.permissions import IsAdminUser
+from rest_framework.permissions import IsAdminUser, IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from rest_framework.viewsets import GenericViewSet
 from user_tasks.models import UserTaskStatus
 from user_tasks.views import StatusViewSet
+from opaque_keys.edx.keys import CourseKey
 
 from cms.djangoapps.modulestore_migrator.api import (
     start_migration_to_library,
@@ -26,6 +27,7 @@
 from openedx.core.djangoapps.content.course_overviews.models import CourseOverview
 from openedx.core.djangoapps.content_libraries import api as lib_api
 from openedx.core.lib.api.authentication import BearerAuthenticationAllowInactiveUser
+from common.djangoapps.student.auth import has_studio_write_access
 
 from ...models import ModulestoreMigration
 from .serializers import (
@@ -392,7 +394,7 @@ class MigrationInfoViewSet(APIView):
             }
     """
 
-    permission_classes = (IsAdminUser,)
+    permission_classes = (IsAuthenticated,)
     authentication_classes = (
         BearerAuthenticationAllowInactiveUser,
         JwtAuthentication,
@@ -425,7 +427,18 @@ def get(self, request):
                 status=status.HTTP_400_BAD_REQUEST
             )
 
-        data = get_all_migrations_info(source_keys)
+        # Check permissions for each source_key:
+        # Skip the source if the key is invalid or if the user doesn't have permissions
+        source_keys_validated = []
+        for source_key in source_keys:
+            try:
+                key = CourseKey.from_string(source_key)
+                if has_studio_write_access(request.user, key):
+                    source_keys_validated.append(key)
+            except InvalidKeyError:
+                continue
+
+        data = get_all_migrations_info(source_keys_validated)
         serializer = MigrationInfoResponseSerializer(data)
         return Response(serializer.data)
 

openedx/core/djangoapps/content_libraries/tasks.py

@@ -127,6 +127,16 @@ def send_events_after_publish(publish_log_pk: int, library_key_str: str) -> None
         elif hasattr(record.entity, "container"):
             container_key = api.library_container_locator(library_key, record.entity.container)
             affected_containers.add(container_key)
+
+            try:
+                # We do need to notify listeners that the parent container(s) have changed,
+                # e.g. so the search index can update the "has_unpublished_changes"
+                for parent_container in api.get_containers_contains_item(container_key):
+                    affected_containers.add(parent_container.container_key)
+                    # TODO: should this be a CONTAINER_CHILD_PUBLISHED event instead of CONTAINER_PUBLISHED ?
+            except api.ContentLibraryContainerNotFound:
+                # The deleted children remains in the entity, so, in this case, the container may not be found.
+                pass
         else:
             log.warning(
                 f"PublishableEntity {record.entity.pk} / {record.entity.key} was modified during publish operation "