|
11 | 11 | from django.core.exceptions import PermissionDenied |
12 | 12 | from opaque_keys.edx.locator import LibraryLocator |
13 | 13 | from openedx_authz import api as authz_api |
14 | | -from openedx_authz.constants.permissions import COURSES_CREATE_COURSE, COURSES_MANAGE_ADVANCED_SETTINGS |
| 14 | +from openedx_authz.constants.permissions import COURSES_CREATE_COURSE, COURSES_MANAGE_ADVANCED_SETTINGS, COURSES_VIEW_ADVANCED_SETTINGS |
15 | 15 |
|
16 | 16 | from common.djangoapps.student.roles import ( |
17 | 17 | CourseBetaTesterRole, |
@@ -201,26 +201,43 @@ def check_course_advanced_settings_access(user, course_key, access_type='read'): |
201 | 201 | Returns: |
202 | 202 | bool: True if user has permission, False otherwise |
203 | 203 | """ |
204 | | - if core_toggles.AUTHZ_COURSE_AUTHORING_FLAG.is_enabled(course_key): |
205 | | - # For feature_restricted access type, check DISABLE_ADVANCED_SETTINGS feature |
206 | | - if ( |
207 | | - access_type == 'feature_restricted' |
208 | | - and settings.FEATURES.get('DISABLE_ADVANCED_SETTINGS', False) |
209 | | - ): |
210 | | - # When feature is disabled, only staff/superuser can access (bypass authz) |
211 | | - return user.is_staff or user.is_superuser |
212 | | - # Otherwise check authz permission |
213 | | - return authz_api.is_user_allowed(user.username, COURSES_MANAGE_ADVANCED_SETTINGS.identifier, str(course_key)) |
214 | | - |
215 | | - # Legacy permission checks |
| 204 | + if not core_toggles.AUTHZ_COURSE_AUTHORING_FLAG.is_enabled(course_key): |
| 205 | + if access_type == 'read': |
| 206 | + return has_studio_read_access(user, course_key) |
| 207 | + if access_type == 'feature_restricted': |
| 208 | + return has_studio_advanced_settings_access(user) |
| 209 | + if access_type == 'write': |
| 210 | + return has_studio_write_access(user, course_key) |
| 211 | + return False |
| 212 | + |
| 213 | + course_id = str(course_key) |
| 214 | + username = user.username |
| 215 | + disable_advanced = settings.FEATURES.get('DISABLE_ADVANCED_SETTINGS', False) |
| 216 | + |
| 217 | + # Feature flag override: when DISABLE_ADVANCED_SETTINGS is enabled, |
| 218 | + # only staff/superuser can access regardless of authz permissions |
| 219 | + if access_type == 'feature_restricted' and disable_advanced: |
| 220 | + return user.is_staff or user.is_superuser |
| 221 | + |
| 222 | + # MANAGE permission grants full access (read + write) |
| 223 | + has_manage = authz_api.is_user_allowed( |
| 224 | + username, |
| 225 | + COURSES_MANAGE_ADVANCED_SETTINGS.identifier, |
| 226 | + course_id, |
| 227 | + ) |
| 228 | + if has_manage: |
| 229 | + return True |
| 230 | + |
| 231 | + # VIEW permission allows read-only access for auditors |
216 | 232 | if access_type == 'read': |
217 | | - return has_studio_read_access(user, course_key) |
218 | | - if access_type == 'feature_restricted': |
219 | | - return has_studio_advanced_settings_access(user) |
220 | | - if access_type == 'write': |
221 | | - return has_studio_write_access(user, course_key) |
| 233 | + return authz_api.is_user_allowed( |
| 234 | + username, |
| 235 | + COURSES_VIEW_ADVANCED_SETTINGS.identifier, |
| 236 | + course_id, |
| 237 | + ) |
222 | 238 |
|
223 | | - raise ValueError(f"Invalid access_type: {access_type}") |
| 239 | + # write and feature_restricted (when not disabled) require MANAGE |
| 240 | + return False |
224 | 241 |
|
225 | 242 |
|
226 | 243 | def is_content_creator(user, org): |
|
0 commit comments