fix: provent user to triger a downlaod csv task if task details api i…

…s inaccessible

futurex_openedx_extensions/helpers/export_mixins.py

@@ -111,6 +111,12 @@ def list(self, request: Request, *args: Any, **kwargs: Any) -> Response:
                     status=http_status.HTTP_403_FORBIDDEN
                 )
 
+            if not self.request.fx_permission_info['download_allowed']:
+                return Response(
+                    {'detail': 'You are not permitted to use the "download" parameter'},
+                    status=http_status.HTTP_403_FORBIDDEN
+                )
+
             if self.get_existing_incompleted_task_count() >= TASK_LIMIT:
                 return Response(
                     {'detail': 'CSV task limit reached. User can only run up to {TASK_LIMIT} tasks simultaneously.'},

futurex_openedx_extensions/helpers/permissions.py

@@ -117,17 +117,26 @@ def has_permission(self, request: Any, view: Any) -> bool:
 
         system_staff_user_flag = is_system_staff_user(request.user)
         user_roles: dict = get_user_course_access_roles(request.user.id)['roles']
+
+        download_allowed = bool(
+            set(user_roles.keys()) & set(view_allowed_roles) & set(view.get_view_user_roles_mapping(
+                view_name='exported_files_data', user=request.user
+            ))
+        )
+
         request.fx_permission_info = {
             'user': request.user,
             'user_roles': user_roles,
             'is_system_staff_user': system_staff_user_flag,
             'view_allowed_roles': view_allowed_roles,
             'view_allowed_tenant_ids_any_access': tenant_ids,
+            'download_allowed': download_allowed
         }
 
         if system_staff_user_flag:
             request.fx_permission_info.update({
                 'user_roles': {},
+                'download_allowed': True
             })
 
         if system_staff_user_flag or (