From b9f779175881e1141597dc855be745f7b35e3115 Mon Sep 17 00:00:00 2001
From: Tehreem Sadat <ts.tehreem@gmail.com>
Date: Wed, 27 Nov 2024 23:56:46 +1300
Subject: [PATCH] fix: provent user to triger a downlaod csv task if task
 details api is inaccessible

---
 futurex_openedx_extensions/helpers/export_mixins.py | 6 ++++++
 futurex_openedx_extensions/helpers/permissions.py   | 9 +++++++++
 2 files changed, 15 insertions(+)

diff --git a/futurex_openedx_extensions/helpers/export_mixins.py b/futurex_openedx_extensions/helpers/export_mixins.py
index b001d34f..c866b3b1 100644
--- a/futurex_openedx_extensions/helpers/export_mixins.py
+++ b/futurex_openedx_extensions/helpers/export_mixins.py
@@ -111,6 +111,12 @@ def list(self, request: Request, *args: Any, **kwargs: Any) -> Response:
                     status=http_status.HTTP_403_FORBIDDEN
                 )
 
+            if not self.request.fx_permission_info['download_allowed']:
+                return Response(
+                    {'detail': 'You are not permitted to use the "download" parameter'},
+                    status=http_status.HTTP_403_FORBIDDEN
+                )
+
             if self.get_existing_incompleted_task_count() >= TASK_LIMIT:
                 return Response(
                     {'detail': 'CSV task limit reached. User can only run up to {TASK_LIMIT} tasks simultaneously.'},
diff --git a/futurex_openedx_extensions/helpers/permissions.py b/futurex_openedx_extensions/helpers/permissions.py
index 78565728..b08123d4 100644
--- a/futurex_openedx_extensions/helpers/permissions.py
+++ b/futurex_openedx_extensions/helpers/permissions.py
@@ -117,17 +117,26 @@ def has_permission(self, request: Any, view: Any) -> bool:
 
         system_staff_user_flag = is_system_staff_user(request.user)
         user_roles: dict = get_user_course_access_roles(request.user.id)['roles']
+
+        download_allowed = bool(
+            set(user_roles.keys()) & set(view_allowed_roles) & set(view.get_view_user_roles_mapping(
+                view_name='exported_files_data', user=request.user
+            ))
+        )
+
         request.fx_permission_info = {
             'user': request.user,
             'user_roles': user_roles,
             'is_system_staff_user': system_staff_user_flag,
             'view_allowed_roles': view_allowed_roles,
             'view_allowed_tenant_ids_any_access': tenant_ids,
+            'download_allowed': download_allowed
         }
 
         if system_staff_user_flag:
             request.fx_permission_info.update({
                 'user_roles': {},
+                'download_allowed': True
             })
 
         if system_staff_user_flag or (