fix: Copilot PR feedback

Author: brianjbuck-wgu

lms/djangoapps/instructor/permissions.py

@@ -97,7 +97,7 @@ def has_permission(self, request, view):
 class CourseTeamPermission(BasePermission):
     """
     Allow access to course team management endpoints for users with
-    instructor (Admin) access or the Discussion Admin (forum Administrator) role.
+    instructor (Admin) access or the Discussion Admin (staff + forum Administrator) role.
     """
     def has_permission(self, request, view):
         try:
@@ -107,7 +107,9 @@ def has_permission(self, request, view):
         course = get_course_by_id(course_key)
         if has_access(request.user, 'instructor', course):
             return True
-        if has_forum_access(request.user, course_key, FORUM_ROLE_ADMINISTRATOR):
+        if has_access(request.user, 'staff', course) and has_forum_access(
+            request.user, course_key, FORUM_ROLE_ADMINISTRATOR
+        ):
             return True
         return False
 

lms/djangoapps/instructor/tests/test_api_v2.py

@@ -3507,3 +3507,14 @@ def test_plain_staff_cannot_access_team_endpoints(self):
         self.client.force_authenticate(user=self.staff_user)
         response = self.client.get(url)
         assert response.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_non_staff_forum_admin_cannot_access_team_endpoints(self):
+        """Non-staff user with only forum Administrator role should get 403."""
+        non_staff_forum_admin = UserFactory.create()
+        admin_role = Role.objects.get(course_id=self.course_key, name='Administrator')
+        admin_role.users.add(non_staff_forum_admin)
+
+        url = reverse('instructor_api_v2:course_team', kwargs={'course_id': str(self.course_key)})
+        self.client.force_authenticate(user=non_staff_forum_admin)
+        response = self.client.get(url)
+        assert response.status_code == status.HTTP_403_FORBIDDEN

lms/djangoapps/instructor/views/api_v2.py

@@ -2418,7 +2418,7 @@ class CourseTeamRolesView(DeveloperErrorViewMixin, APIView):
 
         * 200: OK
         * 401: User is not authenticated
-        * 403: User lacks instructor permissions
+        * 403: User lacks course team management permissions (requires instructor or discussion Administrator role)
     """
     permission_classes = (IsAuthenticated, permissions.CourseTeamPermission)
 
@@ -2543,7 +2543,7 @@ class CourseTeamView(DeveloperErrorViewMixin, APIView):
         * 200: OK (GET, POST - role granted/revoked)
         * 400: Invalid parameters
         * 401: User is not authenticated
-        * 403: User lacks instructor permissions
+        * 403: User lacks course team management permissions (requires instructor or discussion Administrator role)
         * 404: Course not found
     """
     permission_classes = (IsAuthenticated, permissions.CourseTeamPermission)
@@ -2710,7 +2710,7 @@ class CourseTeamMemberView(DeveloperErrorViewMixin, APIView):
         * 200: Role(s) revoked successfully
         * 400: Invalid parameters
         * 401: User is not authenticated
-        * 403: User lacks instructor permissions
+        * 403: User lacks course team management permissions (requires instructor or discussion Administrator role)
         * 404: Course or user not found
         * 409: Cannot remove own instructor access
     """

lms/djangoapps/instructor/views/serializers_v2.py

@@ -190,7 +190,7 @@ def get_tabs(self, data):
                 },
             ])
 
-        if access['instructor'] or access['forum_admin']:
+        if access['instructor'] or (access['staff'] and access['forum_admin']):
             tabs.append({
                 'tab_id': 'course_team',
                 'title': _('Course Team'),