From d10e2eab2b31285d591f75e978f60b56a39cd0ae Mon Sep 17 00:00:00 2001
From: sendr <sendr84@gmail.com>
Date: Fri, 8 May 2020 19:07:09 +0300
Subject: [PATCH] HERA-663 404 when user with staff status on a course open
 Instructor tab (#2047)

Co-authored-by: Sagirov Eugeniy <sagirov19@gmail.com>
---
 lms/djangoapps/hera/middleware.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lms/djangoapps/hera/middleware.py b/lms/djangoapps/hera/middleware.py
index d32e63b01444..f72ee37a8e5e 100644
--- a/lms/djangoapps/hera/middleware.py
+++ b/lms/djangoapps/hera/middleware.py
@@ -1,7 +1,7 @@
 from django.http import Http404, HttpResponseRedirect
 from django.urls import reverse
 
-from student.models import CourseEnrollmentAllowed
+from courseware.access import has_access
 
 from .models import UserOnboarding
 from .utils import get_user_active_course_id
@@ -48,6 +48,10 @@ def process_request(self, request):
             is_path_allowed = self.is_allowed(request.path, user)
             is_ajax = request.META.get("HTTP_X_REQUESTED_WITH") == 'XMLHttpRequest'
             if not user.is_staff:
+                if '/courses/' in request.path:
+                    course_key = get_user_active_course_id(user)
+                    if has_access(user, 'staff', course_key):
+                        return
                 if not is_ajax and not is_path_allowed:
                     raise Http404
                 if '/media/' in request.path: