when running an attempt, in the first instance use the LTIUSerData ob…

…ject to check permission The RunAttemptView was using the session's saved LTI data to check if the user is an instructor, but if the session isn't working properly that doesn't work. We didn't work out why the session was messed up, but it was repeatable. The LTIUserData object for the user and resource is the first place to check if the user has instructor privileges for the resource.
numbas · May 27, 2021 · b8daa7c · b8daa7c
1 parent c3763ae
commit b8daa7c
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/numbas_lti/views/attempt.py b/numbas_lti/views/attempt.py
@@ -285,7 +285,8 @@ def get_context_data(self,*args,**kwargs):
             mode = 'normal'
 
         if attempt.user != self.request.user:
-            if request_is_instructor(self.request):
+            user_data = attempt.resource.user_data(self.request.user)
+            if (user_data is not None and user_data.is_instructor) or request_is_instructor(self.request):
                 mode = 'review'
             else:
                 raise PermissionDenied(ugettext("You're not allowed to review this attempt."))