Skip to content

Commit

Permalink
fix: [FC-0031] Restrict access to is_enrolled field
Browse files Browse the repository at this point in the history
  • Loading branch information
@GlugovGrGlib
GlugovGrGlib committed Dec 15, 2023
1 parent bd53863 commit d344a7e
Showing 1 changed file with 11 additions and 7 deletions.
18 changes: 11 additions & 7 deletions lms/djangoapps/course_api/serializers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,18 +167,22 @@ def to_representation(self, instance):
Get the `certificate_available_date` in response
if the `certificates.auto_certificate_generation` waffle switch is enabled
Get the 'is_enrolled' in response
if user is authenticated and 'username' is in query params.
Get the 'is_enrolled' in response if 'username' is in query params,
user is staff, superuser, or user is authenticated and
the has the same 'username' as the 'username' in the query params.
"""
response = super().to_representation(instance)
if can_show_certificate_available_date_field(instance):
response['certificate_available_date'] = instance.certificate_available_date

requested_user = self.context['request'].query_params.get('username', None)
if self.context['request'].user.is_authenticated and requested_user:
User = get_user_model()
requested_user = User.objects.get(username=requested_user)
response['is_enrolled'] = CourseEnrollment.is_enrolled(requested_user, instance.id)
requested_username = self.context['request'].query_params.get('username', None)
if requested_username:
user = self.context['request'].user
if ((user.is_authenticated and user.username == requested_username)
or user.is_staff or user.is_superuser):
User = get_user_model()
requested_user = User.objects.get(username=requested_username)
response['is_enrolled'] = CourseEnrollment.is_enrolled(requested_user, instance.id)
return response


Expand Down

0 comments on commit d344a7e

Please sign in to comment.