Pearson-Advance · alexjmpb · Jan 11, 2024 · Dec 26, 2023
diff --git a/lms/djangoapps/grades/rest_api/v1/gradebook_views.py b/lms/djangoapps/grades/rest_api/v1/gradebook_views.py
@@ -20,9 +20,9 @@
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from common.djangoapps.student.auth import has_course_author_access
+from common.djangoapps.student.auth import has_course_author_access, is_ccx_course
 from common.djangoapps.student.models import CourseAccessRole, CourseEnrollment, CourseMode
-from common.djangoapps.student.roles import BulkRoleCache
+from common.djangoapps.student.roles import BulkRoleCache, CourseInstructorRole, CourseStaffRole
 from common.djangoapps.track.event_transaction_utils import (
     create_new_event_transaction_id,
     get_event_transaction_id,
@@ -227,6 +227,13 @@ def _wrapper_view(self, request, course_id, *args, **kwargs):
         """
         course_key = CourseKey.from_string(course_id)
         if not has_course_author_access(request.user, course_key):
+            user_has_gradebook_access = any([
+                CourseStaffRole(course_key).has_user(request.user),
+                CourseInstructorRole(course_key).has_user(request.user),
+            ])
+            if is_ccx_course(course_key) and user_has_gradebook_access:
+                return view(self, request, course_key, *args, **kwargs)
+
             raise DeveloperErrorViewMixin.api_error(
                 status_code=status.HTTP_403_FORBIDDEN,
                 developer_message='The requesting user does not have course author permissions.',