feat: add studio write access validation

germanolleunlp · germanolleunlp · commit 9835cff75765 · 2023-08-29T16:50:10.000-03:00
diff --git a/ai_aside/api/__init__.py b/ai_aside/api/__init__.py
@@ -0,0 +1,45 @@
+"""
+API Utilities
+"""
+import logging
+
+from rest_framework import status
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from ai_aside.api.exceptions import AiAsideException
+
+log = logging.getLogger(__name__)
+
+
+def handle_ai_aside_exception(exc, name=None):  # pylint: disable=inconsistent-return-statements
+    """
+    Converts ai_aside exceptions into restframework responses
+    """
+    if isinstance(exc, AiAsideException):
+        log.exception(name)
+        return APIResponse(http_status=exc.http_status, data={'message': str(exc)})
+
+
+class APIResponse(Response):
+    """API Response"""
+    def __init__(self, data=None, http_status=None, content_type=None, success=False):
+        _status = http_status or status.HTTP_200_OK
+        data = data or {}
+        reply = {'response': {'success': success}}
+        reply['response'].update(data)
+        super().__init__(data=reply, status=_status, content_type=content_type)
+
+
+class AiAsideAPIView(APIView):
+    """
+    Overrides APIView to handle ai_aside exceptions
+    """
+    def handle_exception(self, exc):
+        """
+        Converts proctoring exceptions into standard restframework responses
+        """
+        resp = handle_ai_aside_exception(exc, name=self.__class__.__name__)
+        if not resp:
+            resp = super().handle_exception(exc)
+        return resp
diff --git a/ai_aside/api/exceptions.py b/ai_aside/api/exceptions.py
@@ -0,0 +1,11 @@
+"""
+Custom exceptions for ai-aside
+"""
+from rest_framework import status
+
+
+class AiAsideException(Exception):
+    """
+    A common base class for all exceptions
+    """
+    http_status = status.HTTP_400_BAD_REQUEST
diff --git a/ai_aside/api/permissions.py b/ai_aside/api/permissions.py
@@ -0,0 +1,20 @@
+""" Permissions for ai-aside API"""
+
+from rest_framework.permissions import BasePermission
+
+from ai_aside.api.view_utils import validate_course_key
+from ai_aside.platform_imports import can_change_summaries_settings
+
+
+class HasStudioWriteAccess(BasePermission):
+    """
+    Check if the user has studio write access to a course.
+    """
+    def has_permission(self, request, view):
+        """
+        Check permissions for this class.
+        """
+        course_key_string = view.kwargs.get('course_id')
+        course_key = validate_course_key(course_key_string)
+
+        return can_change_summaries_settings(request.user, course_key)
diff --git a/ai_aside/api/view_utils.py b/ai_aside/api/view_utils.py
@@ -0,0 +1,49 @@
+"""
+Utilities related to API views
+"""
+
+from opaque_keys import InvalidKeyError
+from opaque_keys.edx.keys import CourseKey, UsageKey
+from ai_aside.api.exceptions import AiAsideException
+
+
+def validate_course_key(course_key_string: str) -> CourseKey:
+    """
+    Validate and parse a course_key string, if supported.
+
+    Args:
+        course_key_string (str): string course key to validate
+
+    Returns:
+        CourseKey: validated course key
+
+    Raises:
+        ValidationError: DRF Validation error in case the course key is invalid
+    """
+    try:
+        course_key = CourseKey.from_string(course_key_string)
+    except InvalidKeyError:
+        raise AiAsideException(f"{course_key_string} is not a valid CourseKey")
+    if course_key.deprecated:
+        raise AiAsideException("Deprecated CourseKeys (Org/Course/Run) are not supported.")
+    return course_key
+
+
+def validate_unit_key(unit_key_string: str) -> UsageKey:
+    """
+    Validate and parse a unit_key string, if supported.
+
+    Args:
+        unit_key_string (str): string unit key to validate
+
+    Returns:
+        UsageKey: validated unit key
+
+    Raises:
+        ValidationError: DRF Validation error in case the unit key is invalid
+    """
+    try:
+        usage_key = UsageKey.from_string(unit_key_string)
+    except InvalidKeyError:
+        raise AiAsideException(f"{unit_key_string} is not a valid UsageKey")
+    return usage_key
diff --git a/ai_aside/config_api/views.py b/ai_aside/config_api/views.py
@@ -15,12 +15,11 @@
 
 Both GET and DELETE methods respond with a 404 if the setting cannot be found.
 """
-from opaque_keys import InvalidKeyError
-from opaque_keys.edx.keys import CourseKey, UsageKey
 from rest_framework import status
-from rest_framework.response import Response
-from rest_framework.views import APIView
 
+from ai_aside.api import AiAsideAPIView, APIResponse
+from ai_aside.api.permissions import HasStudioWriteAccess
+from ai_aside.api.view_utils import validate_course_key, validate_unit_key
 from ai_aside.config_api.api import (
     NotFoundError,
     delete_course_settings,
@@ -34,47 +33,36 @@
 )
 
 
-class APIResponse(Response):
-    """API Response"""
-    def __init__(self, data=None, http_status=None, content_type=None, success=False):
-        _status = http_status or status.HTTP_200_OK
-        data = data or {}
-        reply = {'response': {'success': success}}
-        reply['response'].update(data)
-        super().__init__(data=reply, status=_status, content_type=content_type)
-
-
-class CourseSummaryConfigEnabledAPIView(APIView):
+class CourseSummaryConfigEnabledAPIView(AiAsideAPIView):
     """
     Simple GET endpoint to expose whether the course may use summary config.
     """
 
+    permission_classes = (HasStudioWriteAccess,)
+
     def get(self, request, course_id=None):
         """Expose whether the course may use summary config"""
         if course_id is None:
             return APIResponse(http_status=status.HTTP_404_NOT_FOUND)
 
-        try:
-            enabled = is_summary_config_enabled(CourseKey.from_string(course_id))
-            return APIResponse(success=True, data={'enabled': enabled})
-        except InvalidKeyError:
-            data = {'message': 'Invalid Key'}
-            return APIResponse(http_status=status.HTTP_400_BAD_REQUEST, data=data)
+        course_key = validate_course_key(course_id)
+        enabled = is_summary_config_enabled(course_key)
+        return APIResponse(success=True, data={'enabled': enabled})
 
 
-class CourseEnabledAPIView(APIView):
+class CourseEnabledAPIView(AiAsideAPIView):
     """Handlers for course level settings"""
 
+    permission_classes = (HasStudioWriteAccess,)
+
     def get(self, request, course_id=None):
         """Gets the enabled state for a course"""
         if course_id is None:
             return APIResponse(http_status=status.HTTP_404_NOT_FOUND)
 
         try:
-            settings = get_course_settings(CourseKey.from_string(course_id))
-        except InvalidKeyError:
-            data = {'message': 'Invalid Key'}
-            return APIResponse(http_status=status.HTTP_400_BAD_REQUEST, data=data)
+            course_key = validate_course_key(course_id)
+            settings = get_course_settings(course_key)
         except NotFoundError:
             return APIResponse(http_status=status.HTTP_404_NOT_FOUND)
 
@@ -90,13 +78,10 @@ def post(self, request, course_id=None):
         reset = request.data.get('reset')
 
         try:
-            course_key = CourseKey.from_string(course_id)
+            course_key = validate_course_key(course_id)
             set_course_settings(course_key, {'enabled': enabled})
             if reset:
                 reset_course_unit_settings(course_key)
-        except InvalidKeyError:
-            data = {'message': 'Invalid Key'}
-            return APIResponse(http_status=status.HTTP_400_BAD_REQUEST, data=data)
         except TypeError:
             data = {'message': 'Invalid parameters'}
             return APIResponse(http_status=status.HTTP_400_BAD_REQUEST, data=data)
@@ -110,32 +95,28 @@ def delete(self, request, course_id=None):
             return APIResponse(http_status=status.HTTP_404_NOT_FOUND)
 
         try:
-            delete_course_settings(CourseKey.from_string(course_id))
-        except InvalidKeyError:
-            data = {'message': 'Invalid Key'}
-            return APIResponse(http_status=status.HTTP_400_BAD_REQUEST, data=data)
+            course_key = validate_course_key(course_id)
+            delete_course_settings(course_key)
         except NotFoundError:
             return APIResponse(http_status=status.HTTP_404_NOT_FOUND)
 
         return APIResponse(success=True)
 
 
-class UnitEnabledAPIView(APIView):
+class UnitEnabledAPIView(AiAsideAPIView):
     """Handlers for module level settings"""
 
+    permission_classes = (HasStudioWriteAccess,)
+
     def get(self, request, course_id=None, unit_id=None):
         """Gets the enabled state for a unit"""
         if course_id is None or unit_id is None:
             return APIResponse(http_status=status.HTTP_404_NOT_FOUND)
 
         try:
-            settings = get_unit_settings(
-                CourseKey.from_string(course_id),
-                UsageKey.from_string(unit_id),
-            )
-        except InvalidKeyError:
-            data = {'message': 'Invalid Key'}
-            return APIResponse(http_status=status.HTTP_400_BAD_REQUEST, data=data)
+            course_key = validate_course_key(course_id)
+            unit_key = validate_unit_key(unit_id)
+            settings = get_unit_settings(course_key, unit_key)
         except NotFoundError:
             return APIResponse(http_status=status.HTTP_404_NOT_FOUND)
 
@@ -147,13 +128,9 @@ def post(self, request, course_id=None, unit_id=None):
         enabled = request.data.get('enabled')
 
         try:
-            set_unit_settings(
-                CourseKey.from_string(course_id),
-                UsageKey.from_string(unit_id),
-                {'enabled': enabled})
-        except InvalidKeyError:
-            data = {'message': 'Invalid Key'}
-            return APIResponse(http_status=status.HTTP_400_BAD_REQUEST, data=data)
+            course_key = validate_course_key(course_id)
+            unit_key = validate_unit_key(unit_id)
+            set_unit_settings(course_key, unit_key, {'enabled': enabled})
         except TypeError:
             data = {'message': 'Invalid parameters'}
             return APIResponse(http_status=status.HTTP_400_BAD_REQUEST, data=data)
@@ -167,13 +144,9 @@ def delete(self, request, course_id=None, unit_id=None):
             return APIResponse(http_status=status.HTTP_404_NOT_FOUND)
 
         try:
-            delete_unit_settings(
-                CourseKey.from_string(course_id),
-                UsageKey.from_string(unit_id),
-            )
-        except InvalidKeyError:
-            data = {'message': 'Invalid Key'}
-            return APIResponse(http_status=status.HTTP_400_BAD_REQUEST, data=data)
+            course_key = validate_course_key(course_id)
+            unit_key = validate_unit_key(unit_id)
+            delete_unit_settings(course_key, unit_key,)
         except NotFoundError:
             return APIResponse(http_status=status.HTTP_404_NOT_FOUND)
 
diff --git a/ai_aside/platform_imports.py b/ai_aside/platform_imports.py
@@ -26,3 +26,15 @@ def get_block(usage_key):
     # pylint: disable=import-error, import-outside-toplevel
     from xmodule.modulestore.django import modulestore
     return modulestore().get_item(usage_key)
+
+
+def can_change_summaries_settings(user, course_key) -> bool:
+    """
+    Check if the user can change the summaries settings.
+    """
+    try:
+        # pylint: disable=import-error, import-outside-toplevel
+        from common.djangoapps.student.auth import has_studio_write_access
+        return has_studio_write_access(user, course_key)
+    except (ModuleNotFoundError, ImportError):
+        return False
diff --git a/tests/api/test_views.py b/tests/api/test_views.py
@@ -1,7 +1,7 @@
 """
 Tests for the API
 """
-from unittest.mock import patch
+from unittest.mock import MagicMock, patch
 
 import ddt
 from django.urls import reverse
@@ -20,10 +20,25 @@
     'block-v1:edX+DemoX+Demo_Course+type@vertical+block@vertical_321ac313f2de',
 ]
 
+has_studio_write_access = True
+
+
+def fake_has_studio_write_access(user, course_key):  # pylint: disable=unused-argument
+    return (has_studio_write_access, 'unused', 'unused')
+
 
 @ddt.ddt
 class TestApiViews(APITestCase):
     """API Endpoint View tests"""
+    def setUp(self):
+        auth_mock = MagicMock()
+        auth_mock.has_studio_write_access = fake_has_studio_write_access
+
+        modules = {
+            'common.djangoapps.student.auth': auth_mock,
+        }
+
+        patch.dict('sys.modules', modules).start()
 
     @ddt.data(True, False)
     @patch('ai_aside.config_api.api.summaries_configuration_enabled')
@@ -211,9 +226,9 @@ def test_unit_enabled_setter_invalid_key(self):
             'unit_id': unit_id,
         })
         response = self.client.post(api_url, {'enabled': True}, format='json')
-
+        message = response.data['response']['message']
         self.assertEqual(response.status_code, 400)
-        self.assertEqual(response.data['response']['message'], 'Invalid Key')
+        self.assertEqual(message, 'this:is:not_a-valid~key#either! is not a valid UsageKey')
 
     def test_unit_enabled_getter_valid(self):
         course_id = course_keys[0]
@@ -244,9 +259,9 @@ def test_unit_enabled_getter_invalid_key(self):
             'unit_id': unit_id,
         })
         response = self.client.get(api_url)
-
+        message = response.data['response']['message']
         self.assertEqual(response.status_code, 400)
-        self.assertEqual(response.data['response']['message'], 'Invalid Key')
+        self.assertEqual(message, 'this:is:not_a-valid~key#either! is not a valid UsageKey')
 
     def test_unit_enabled_getter_404(self):
         course_id = course_keys[1]
