From 5c1fff6c1b5050e65231622b9f34128309a596b3 Mon Sep 17 00:00:00 2001 From: Glib Glugovskiy Date: Fri, 15 Dec 2023 20:28:31 +0200 Subject: [PATCH] fix: [FC-0031] Restrict access to is_enrolled field --- lms/djangoapps/course_api/serializers.py | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/lms/djangoapps/course_api/serializers.py b/lms/djangoapps/course_api/serializers.py index e4855e05cb15..5fc711376784 100644 --- a/lms/djangoapps/course_api/serializers.py +++ b/lms/djangoapps/course_api/serializers.py @@ -167,18 +167,22 @@ def to_representation(self, instance): Get the `certificate_available_date` in response if the `certificates.auto_certificate_generation` waffle switch is enabled - Get the 'is_enrolled' in response - if user is authenticated and 'username' is in query params. + Get the 'is_enrolled' in response if 'username' is in query params, + user is staff, superuser, or user is authenticated and + the has the same 'username' as the 'username' in the query params. """ response = super().to_representation(instance) if can_show_certificate_available_date_field(instance): response['certificate_available_date'] = instance.certificate_available_date - requested_user = self.context['request'].query_params.get('username', None) - if self.context['request'].user.is_authenticated and requested_user: - User = get_user_model() - requested_user = User.objects.get(username=requested_user) - response['is_enrolled'] = CourseEnrollment.is_enrolled(requested_user, instance.id) + requested_username = self.context['request'].query_params.get('username', None) + if requested_username: + user = self.context['request'].user + if ((user.is_authenticated and user.username == requested_username) + or user.is_staff or user.is_superuser): + User = get_user_model() + requested_user = User.objects.get(username=requested_username) + response['is_enrolled'] = CourseEnrollment.is_enrolled(requested_user, instance.id) return response