Make impersonate_user local to a course

course/auth.py

@@ -59,8 +59,9 @@
         user_status,
         participation_status,
         participation_permission as pperm,
+        COURSE_ID_REGEX,
         )
-from course.models import Participation, ParticipationRole, AuthenticationToken  # noqa
+from course.models import Participation, ParticipationRole, AuthenticationToken, Course  # noqa
 from accounts.models import User
 from course.utils import render_course_page, course_view
 
@@ -82,14 +83,15 @@ def get_pre_impersonation_user(request):
     return None
 
 
-def get_impersonable_user_qset(impersonator):
+def get_impersonable_user_qset(impersonator, course_identifier):
     # type: (User) -> query.QuerySet
-    if impersonator.is_superuser:
-        return User.objects.exclude(pk=impersonator.pk)
+
+    course = Course.objects.get(identifier=course_identifier)
 
     my_participations = Participation.objects.filter(
         user=impersonator,
-        status=participation_status.active)
+        status=participation_status.active,
+        course=course)
 
     impersonable_user_qset = User.objects.none()
     for part in my_participations:
@@ -120,13 +122,23 @@ def get_impersonable_user_qset(impersonator):
     return impersonable_user_qset
 
 
+def _get_current_course_from_request(request):
+    course_match = re.match("^/course/"+COURSE_ID_REGEX+"/", request.get_full_path())
+    if course_match is None:
+        return None
+    else:
+        return course_match.group("course_identifier")
+
+
 class ImpersonateMiddleware(object):
     def __init__(self, get_response):
         self.get_response = get_response
 
     def __call__(self, request):
         if 'impersonate_id' in request.session:
             imp_id = request.session['impersonate_id']
+            imp_course = request.session['impersonate_course']
+            cur_course = _get_current_course_from_request(request)
             impersonee = None
 
             try:
@@ -140,13 +152,20 @@ def __call__(self, request):
                 if request.user.is_superuser:
                     may_impersonate = True
                 else:
-                    qset = get_impersonable_user_qset(cast(User, request.user))
+                    if cur_course is not None:
+                        qset = get_impersonable_user_qset(cast(User, request.user),
+                                course_identifier=cur_course)
+                    else:
+                        qset = get_impersonable_user_qset(cast(User, request.user),
+                                course_identifier=imp_course)
                     if qset.filter(pk=cast(User, impersonee).pk).count():
                         may_impersonate = True
 
             if may_impersonate:
                 request.relate_impersonate_original_user = request.user
                 request.user = impersonee
+            elif cur_course is not None and cur_course != imp_course:
+                raise PermissionDenied()
             else:
                 messages.add_message(request, messages.ERROR,
                         _("Error while impersonating."))
@@ -209,12 +228,17 @@ def __init__(self, *args, **kwargs):
         self.helper.add_input(Submit("submit", _("Impersonate")))
 
 
-def impersonate(request):
+def impersonate(request, course_identifier):
     # type: (http.HttpRequest) -> http.HttpResponse
     if not request.user.is_authenticated:
         raise PermissionDenied()
 
-    impersonable_user_qset = get_impersonable_user_qset(cast(User, request.user))
+    impersonator = cast(User, request.user)
+    if impersonator.is_superuser:
+        impersonable_user_qset = User.objects.exclude(pk=impersonator.pk)
+    else:
+        impersonable_user_qset = get_impersonable_user_qset(impersonator,
+                                    course_identifier)
     if not impersonable_user_qset.count():
         raise PermissionDenied()
 
@@ -234,6 +258,7 @@ def impersonate(request):
             impersonee = form.cleaned_data["user"]
 
             request.session['impersonate_id'] = impersonee.id
+            request.session['impersonate_course'] = course_identifier
             request.session['relate_impersonation_header'] = form.cleaned_data[
                     "add_impersonation_header"]
 

relate/templates/base.html

@@ -108,7 +108,7 @@
                             {% if currently_impersonating %}
                               <li><a onclick=stop_impersonate()>{% trans "Stop impersonating" %}</a></li>
                             {% else %}
-                              <li><a href="{% url 'relate-impersonate' %}" target="_blank">{% trans "Impersonate user" %}</a></li>
+                              <li><a href="{% url 'relate-impersonate' course.identifier %}" target="_blank">{% trans "Impersonate user" %}</a></li>
                             {% endif %}
                             {% if pperm.set_fake_time or request.relate_impersonate_original_user|may_set_fake_time %}
                               <li><a href="{% url 'relate-set_fake_time' %}" target="_blank">{% trans "Set fake time" %}</a></li>

relate/urls.py

@@ -99,11 +99,12 @@
         name="relate-monitor_task"),
 
     # {{{ troubleshooting
-
-    url(r'^user/impersonate/$',
+    url(r"^course"
+        "/" + COURSE_ID_REGEX
+        + "/impersonate/$",
         course.auth.impersonate,
         name="relate-impersonate"),
-    url(r'^user/stop_impersonating/$',
+    url(r"^user/stop_impersonating/$",
         course.auth.stop_impersonating,
         name="relate-stop_impersonating"),