diff --git a/cms/djangoapps/api/v1/serializers/course_runs.py b/cms/djangoapps/api/v1/serializers/course_runs.py index 6bbbce96dd42..e1ee6b743034 100644 --- a/cms/djangoapps/api/v1/serializers/course_runs.py +++ b/cms/djangoapps/api/v1/serializers/course_runs.py @@ -199,7 +199,9 @@ def update(self, instance, validated_data): 'display_name': instance.display_name } fields.update(validated_data) - new_course_run_key = rerun_course(user, course_run_key, course_run_key.org, number, run, fields, False) + new_course_run_key = rerun_course( + user, course_run_key, course_run_key.org, number, run, fields, background=False, + ) course_run = get_course_and_check_access(new_course_run_key, user) self.update_team(course_run, team) @@ -229,10 +231,18 @@ def validate(self, attrs): def create(self, validated_data): source_course_id = validated_data.get('source_course_id') destination_course_id = validated_data.get('destination_course_id') - user_id = self.context['request'].user.id - store = modulestore() - source_key = CourseKey.from_string(source_course_id) - dest_key = CourseKey.from_string(destination_course_id) - with store.default_store('split'): - new_course = store.clone_course(source_key, dest_key, user_id) - return new_course + user = self.context['request'].user + source_course_key = CourseKey.from_string(source_course_id) + destination_course_key = CourseKey.from_string(destination_course_id) + source_course_run = get_course_and_check_access(source_course_key, user) + fields = { + 'display_name': source_course_run.display_name, + } + + destination_course_run_key = rerun_course( + user, source_course_key, destination_course_key.org, destination_course_key.course, + destination_course_key.run, fields, background=False, + ) + + destination_course_run = get_course_and_check_access(destination_course_run_key, user) + return destination_course_run diff --git a/cms/djangoapps/api/v1/views/course_runs.py b/cms/djangoapps/api/v1/views/course_runs.py index fb1671ebef04..45ab02351698 100644 --- a/cms/djangoapps/api/v1/views/course_runs.py +++ b/cms/djangoapps/api/v1/views/course_runs.py @@ -99,5 +99,6 @@ def rerun(self, request, *args, **kwargs): # lint-amnesty, pylint: disable=miss def clone(self, request, *args, **kwargs): # lint-amnesty, pylint: disable=missing-function-docstring, unused-argument serializer = CourseCloneSerializer(data=request.data, context=self.get_serializer_context()) serializer.is_valid(raise_exception=True) - serializer.save() + new_course_run = serializer.save() + serializer = self.get_serializer(new_course_run) return Response({"message": "Course cloned successfully."}, status=status.HTTP_201_CREATED) diff --git a/cms/djangoapps/contentstore/views/course.py b/cms/djangoapps/contentstore/views/course.py index a55bb3db9a53..a67a087e144a 100644 --- a/cms/djangoapps/contentstore/views/course.py +++ b/cms/djangoapps/contentstore/views/course.py @@ -971,6 +971,12 @@ def rerun_course(user, source_course_key, org, number, run, fields, background=T if store.has_course(destination_course_key, ignore_case=True): raise DuplicateCourseError(source_course_key, destination_course_key) + # if org or name of source course don't match the destination course, + # verify user has access to the destination course + if source_course_key.org != destination_course_key.org or source_course_key.course != destination_course_key.course: + if not has_studio_write_access(user, destination_course_key): + raise PermissionDenied() + # Make sure user has instructor and staff access to the destination course # so the user can see the updated status for that course add_instructor(destination_course_key, user, user)