Backend playlist token

src/backend/marsha/bbb/api.py

@@ -94,7 +94,7 @@ class ClassroomViewSet(
 
     permission_classes = [
         (
-            core_permissions.IsTokenResourceRouteObject
+            core_permissions.IsPlaylistToken
             & (core_permissions.IsTokenInstructor | core_permissions.IsTokenAdmin)
         )
         | (
@@ -142,7 +142,8 @@ def get_permissions(self):
             ]
         elif self.action in ["retrieve", "service_join"]:
             permission_classes = [
-                core_permissions.IsTokenResourceRouteObject
+                core_permissions.IsPlaylistToken
+                | core_permissions.IsTokenResourceRouteObject  # needed for invite links
                 | (
                     core_permissions.UserIsAuthenticated  # asserts request.resource is None
                     & (
@@ -188,7 +189,7 @@ def get_serializer_context(self):
                 # For LTI
                 | (
                     core_permissions.ResourceIsAuthenticated
-                    & core_permissions.IsTokenResourceRouteObject
+                    & core_permissions.IsPlaylistToken
                     & (
                         core_permissions.IsTokenInstructor
                         | core_permissions.IsTokenAdmin
@@ -592,7 +593,6 @@ def initiate_upload(self, request, pk=None, classroom_id=None):
         serializer = serializers.ClassroomDocumentInitiateUploadSerializer(
             data=request.data
         )
-
         if serializer.is_valid() is not True:
             return Response(serializer.errors, status=400)
 

src/backend/marsha/bbb/permissions.py

@@ -2,6 +2,7 @@
 
 from rest_framework import permissions
 
+from marsha.bbb.models import Classroom
 from marsha.core import models, permissions as core_permissions
 
 
@@ -33,7 +34,9 @@ def has_permission(self, request, view):
         if not request.resource:
             return False
 
-        return str(view.get_related_classroom_id()) == request.resource.id
+        return Classroom.objects.filter(
+            pk=view.get_related_classroom_id(), playlist_id=request.resource.id
+        ).exists()
 
 
 class BaseIsRelatedClassroomPlaylistRoleMixin:

src/backend/marsha/bbb/serializers.py

@@ -296,13 +296,9 @@ def create(self, validated_data):
             The "validated_data" dictionary is returned after modification.
 
         """
-        resource = self.context["request"].resource
-        classroom_id = self.context["request"].data.get("classroom_id")
+        classroom_id = self.context["view"].get_related_classroom_id()
         if not validated_data.get("classroom_id"):
-            if resource:
-                validated_data["classroom_id"] = resource.id
-            elif classroom_id:
-                validated_data["classroom_id"] = classroom_id
+            validated_data["classroom_id"] = classroom_id
 
         if not ClassroomDocument.objects.filter(
             classroom_id=validated_data["classroom_id"]

src/backend/marsha/bbb/tests/api/classroom/recordings/test_create_vod.py

@@ -78,7 +78,7 @@ def test_api_classroom_recording_create_anonymous_unknown_recording(self):
     def test_api_classroom_recording_create_vod_student(self):
         """Students should not be able to convert a recording to a VOD."""
         recording = ClassroomRecordingFactory()
-        jwt_token = StudentLtiTokenFactory(resource=recording.classroom)
+        jwt_token = StudentLtiTokenFactory(resource=recording.classroom.playlist)
 
         with mock.patch("marsha.bbb.api.invoke_lambda_convert"):
             response = self.client.post(
@@ -99,7 +99,9 @@ def test_api_classroom_recording_create_vod_instructor_or_admin(self):
         recording = ClassroomRecordingFactory(
             started_at="2019-08-21T15:00:02Z",
         )
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=recording.classroom)
+        jwt_token = InstructorOrAdminLtiTokenFactory(
+            resource=recording.classroom.playlist
+        )
 
         self.assertEqual(Video.objects.count(), 0)
 
@@ -152,7 +154,9 @@ def test_api_classroom_recording_create_vod_instructor_or_admin_unknown_recordin
         recording = ClassroomRecordingFactory(
             started_at="2019-08-21T15:00:02Z",
         )
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=recording.classroom)
+        jwt_token = InstructorOrAdminLtiTokenFactory(
+            resource=recording.classroom.playlist
+        )
 
         self.assertEqual(Video.objects.count(), 0)
 
@@ -367,7 +371,9 @@ def test_api_classroom_recording_create_vod_instructor_or_admin_inactive_convers
             started_at="2019-08-21T15:00:02Z",
             classroom__playlist__consumer_site__inactive_features=["vod_convert"],
         )
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=recording.classroom)
+        jwt_token = InstructorOrAdminLtiTokenFactory(
+            resource=recording.classroom.playlist
+        )
 
         self.assertEqual(Video.objects.count(), 0)
 

src/backend/marsha/bbb/tests/api/classroom/recordings/test_delete.py

@@ -68,7 +68,7 @@ def test_api_delete_classroom_recording_anonymous(self, delete_recording_mock):
     def test_api_delete_classroom_recording_student(self, delete_recording_mock):
         """Students should not be able to delete a recording."""
         recording = ClassroomRecordingFactory()
-        jwt_token = StudentLtiTokenFactory(resource=recording.classroom)
+        jwt_token = StudentLtiTokenFactory(resource=recording.classroom.playlist)
         self.assertEqual(ClassroomRecording.objects.count(), 1)
 
         response = self.client.delete(
@@ -93,7 +93,9 @@ def test_api_delete_classroom_recording_instructor_or_admin(
         recording = ClassroomRecordingFactory(
             started_at="2019-08-21T15:00:02Z",
         )
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=recording.classroom)
+        jwt_token = InstructorOrAdminLtiTokenFactory(
+            resource=recording.classroom.playlist
+        )
         self.assertEqual(ClassroomRecording.objects.count(), 1)
 
         response = self.client.delete(

src/backend/marsha/bbb/tests/api/classroom/test_bulk_destroy.py

@@ -52,7 +52,7 @@ def test_api_classroom_bulk_delete_student(self):
         classroom2 = ClassroomFactory()
 
         jwt_token = StudentLtiTokenFactory(
-            resource=classroom1,
+            resource=classroom1.playlist,
             permissions__can_update=True,
         )
 
@@ -93,7 +93,7 @@ def test_api_classroom_bulk_delete_instructor(self):
         """LTI Token can't delete a list of classroom."""
         classroom = ClassroomFactory()
 
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=classroom)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=classroom.playlist)
 
         response = self.client.delete(
             self._api_url(),
@@ -113,7 +113,7 @@ def test_api_classroom_bulk_delete_instructor_with_playlist_token(self):
         playlist = PlaylistFactory()
         classroom = ClassroomFactory(playlist=playlist)
 
-        jwt_token = PlaylistLtiTokenFactory(resource=classroom)
+        jwt_token = PlaylistLtiTokenFactory(resource=classroom.playlist)
 
         self.assertEqual(Classroom.objects.count(), 1)
 

src/backend/marsha/bbb/tests/api/classroom/test_classroomdocuments.py

@@ -49,7 +49,7 @@ def test_api_list_classroom_documents_student(self):
         """A student should not be able to fetch a list of classroom documents."""
         classroom = ClassroomFactory()
         ClassroomDocumentFactory.create_batch(3, classroom=classroom)
-        jwt_token = StudentLtiTokenFactory(resource=classroom)
+        jwt_token = StudentLtiTokenFactory(resource=classroom.playlist)
 
         response = self.client.get(
             f"/api/classrooms/{classroom.id}/classroomdocuments/",
@@ -63,7 +63,7 @@ def test_api_list_classroom_documents_instructor(self):
         classroom_documents = ClassroomDocumentFactory.create_batch(
             3, classroom=classroom
         )
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=classroom)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=classroom.playlist)
 
         response = self.client.get(
             f"/api/classrooms/{classroom.id}/classroomdocuments/?limit=2",
@@ -118,7 +118,7 @@ def test_api_list_classroom_documents_instructor_urls(self):
                 uploaded_on=now,
             )
         )
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=classroom)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=classroom.playlist)
 
         response = self.client.get(
             f"/api/classrooms/{classroom.id}/classroomdocuments/",

src/backend/marsha/bbb/tests/api/classroom/test_create.py

@@ -51,7 +51,7 @@ def test_api_classroom_create_student(self):
         classroom = ClassroomFactory()
 
         jwt_token = StudentLtiTokenFactory(
-            resource=classroom,
+            resource=classroom.playlist,
             permissions__can_update=True,
         )
 
@@ -77,7 +77,7 @@ def test_api_classroom_create_instructor(self):
         """An instructor without playlist token should not be able to create a classroom."""
         classroom = ClassroomFactory()
 
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=classroom)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=classroom.playlist)
 
         response = self.client.post(
             "/api/classrooms/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"

src/backend/marsha/bbb/tests/api/classroom/test_delete.py

@@ -46,7 +46,7 @@ def test_api_classroom_delete_student(self):
         classroom = ClassroomFactory()
 
         jwt_token = StudentLtiTokenFactory(
-            resource=classroom,
+            resource=classroom.playlist,
             permissions__can_update=True,
         )
 
@@ -72,7 +72,7 @@ def test_api_classroom_delete_instructor(self):
         """An instructor without playlist token should not be able to delete a classroom."""
         classroom = ClassroomFactory()
 
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=classroom)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=classroom.playlist)
 
         response = self.client.delete(
             f"/api/classrooms/{classroom.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
@@ -86,7 +86,7 @@ def test_api_classroom_delete_instructor_with_playlist_token(self):
         playlist = PlaylistFactory()
         classroom = ClassroomFactory(playlist=playlist)
 
-        jwt_token = PlaylistLtiTokenFactory(resource=classroom)
+        jwt_token = PlaylistLtiTokenFactory(resource=classroom.playlist)
 
         self.assertEqual(Classroom.objects.count(), 1)
 

src/backend/marsha/bbb/tests/api/classroom/test_list.py

@@ -46,7 +46,7 @@ def test_api_classroom_fetch_list_student(self):
         classroom = ClassroomFactory()
 
         jwt_token = StudentLtiTokenFactory(
-            resource=classroom,
+            resource=classroom.playlist,
             permissions__can_update=True,
         )
 
@@ -59,7 +59,7 @@ def test_api_fetch_list_instructor(self):
         """An instructor should not be able to fetch a classroom list."""
         classroom = ClassroomFactory()
 
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=classroom)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=classroom.playlist)
 
         response = self.client.get(
             "/api/classrooms/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"