fix: cohorts api permissions

Fix lack of the permissions for course staff/instructor roles. Allows course staff/admin users use cohorts API, e.g. for cohort filters in the Gradebook MFE.
openedx · Mar 21, 2024 · 630987a · 630987a
1 parent 71396c3
commit 630987a
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/openedx/core/djangoapps/course_groups/permissions.py b/openedx/core/djangoapps/course_groups/permissions.py
@@ -8,7 +8,7 @@
 from openedx.core.djangoapps.django_comment_common.models import (
     FORUM_ROLE_ADMINISTRATOR, FORUM_ROLE_COMMUNITY_TA, FORUM_ROLE_MODERATOR
 )
-from common.djangoapps.student.roles import GlobalStaff
+from common.djangoapps.student.roles import CourseStaffRole, GlobalStaff, CourseInstructorRole
 from lms.djangoapps.discussion.django_comment_client.utils import get_user_role_names
 
 
@@ -19,15 +19,17 @@ class IsStaffOrAdmin(permissions.BasePermission):
 
     def has_permission(self, request, view):
         """Returns true if the user is admin or staff and request method is GET."""
+        if GlobalStaff().has_user(request.user) or request.user.is_superuser:
+            return True
         course_key = CourseKey.from_string(view.kwargs.get('course_key_string'))
         user_roles = get_user_role_names(request.user, course_key)
-        is_user_staff = bool(user_roles & {
+        has_discussion_privileges = bool(user_roles & {
             FORUM_ROLE_ADMINISTRATOR,
             FORUM_ROLE_MODERATOR,
             FORUM_ROLE_COMMUNITY_TA,
         })
         return (
-            GlobalStaff().has_user(request.user) or
-            request.user.is_staff or
-            is_user_staff and request.method == "GET"
+            CourseInstructorRole(course_key).has_user(request.user) or
+            CourseStaffRole(course_key).has_user(request.user) or
+            has_discussion_privileges and request.method == "GET"
         )