diff --git a/server/assignments/schema/types.py b/server/assignments/schema/types.py index 53f52636..eed00bee 100644 --- a/server/assignments/schema/types.py +++ b/server/assignments/schema/types.py @@ -25,4 +25,7 @@ class AssignmentNode(DjangoObjectType): #todo: restrict for students def resolve_submissions(self, info, **kwargs): - return self.submissions.all() + user = info.context.user + if user.has_perm('users.can_manage_school_class_content'): + return self.submissions.filter(student__in=user.users_in_same_school_class()) + return [] diff --git a/server/assignments/tests/test_assignment_permissions.py b/server/assignments/tests/test_assignment_permissions.py index 755c9dcf..fcd3f74f 100644 --- a/server/assignments/tests/test_assignment_permissions.py +++ b/server/assignments/tests/test_assignment_permissions.py @@ -25,9 +25,8 @@ class AssignmentPermissionsTestCase(TestCase): owner=self.teacher ) - request = RequestFactory().get('/') - request.user = self.student1 - self.client = Client(schema=schema, context_value=request) + self.assignment_id = to_global_id('AssignmentNode', self.assignment.pk) + self.module_id = to_global_id('ModuleNode', self.assignment.module.pk) """ to test: @@ -41,19 +40,12 @@ class AssignmentPermissionsTestCase(TestCase): teacher2 should not see result """ - def test_count(self): - self.assertEqual(Assignment.objects.count(), 1) - - def test_submit_submission(self): - """ - id = graphene.ID(required=True) - answer = graphene.String(required=True) - document = graphene.String() - final = graphene.Boolean() - """ - - id = to_global_id('Assignment', self.assignment.pk) + def _create_client(self, user): + request = RequestFactory().get('/') + request.user = user + return Client(schema=schema, context_value=request) + def _submit_submission(self): mutation = ''' mutation UpdateAssignment($input: UpdateAssignmentInput!) { updateAssignment(input: $input){ @@ -73,14 +65,67 @@ class AssignmentPermissionsTestCase(TestCase): ''' - result = self.client.execute(mutation, variables={ + client = self._create_client(self.student1) + + return client.execute(mutation, variables={ 'input': { "assignment": { - "id": id, + "id": self.assignment_id, "answer": 'Halo', "final": True } } }) + + def test_permissions(self): + self.assertTrue(self.teacher.has_perm('users.can_manage_school_class_content')) + self.assertTrue(self.teacher2.has_perm('users.can_manage_school_class_content')) + self.assertFalse(self.student1.has_perm('users.can_manage_school_class_content')) + self.assertFalse(self.student2.has_perm('users.can_manage_school_class_content')) + + def test_count(self): + self.assertEqual(Assignment.objects.count(), 1) + + def test_submit_submission(self): + result = self._submit_submission() self.assertIsNone(result.get('errors')) self.assertEqual(StudentSubmission.objects.count(), 1) + + def _test_visibility(self, user, count): + self._submit_submission() + client = self._create_client(user) + query = ''' + query AssignmentWithSubmissions($id: ID!) { + assignment(id: $id) { + title + submissions { + id + text + document + student { + firstName + lastName + } + } + } + } + ''' + result = client.execute(query, variables={ + 'id': self.assignment_id + }) + + self.assertIsNone(result.get('errors')) + self.assertEqual(len(result.get('data').get('assignment').get('submissions')), count) + + + def test_visible_for_teacher(self): + self._test_visibility(self.teacher, 1) + + def test_visible_for_teacher2(self): + self._test_visibility(self.teacher2, 0) + + def test_visible_for_student1(self): + self._test_visibility(self.student1, 0) + + def test_visible_for_student2(self): + self._test_visibility(self.student2, 0) diff --git a/server/users/models.py b/server/users/models.py index 764d8e96..1079f5fc 100644 --- a/server/users/models.py +++ b/server/users/models.py @@ -31,6 +31,9 @@ class User(AbstractUser): def has_perm(self, perm, obj=None): return super(User, self).has_perm(perm, obj) or perm in self.get_all_permissions(obj) + def users_in_same_school_class(self): + return User.objects.filter(school_classes__users=self.pk) + class SchoolClass(models.Model): name = models.CharField(max_length=100, blank=False, null=False) @@ -43,7 +46,6 @@ class SchoolClass(models.Model): return 'SchoolClass {}-{}-{}'.format(self.id, self.name, self.year) - class Role(models.Model): key = models.CharField(_('Key'), max_length=100, blank=False, null=False, unique=True) name = models.CharField(_('Name'), max_length=100, blank=False, null=False) @@ -79,7 +81,6 @@ class Role(models.Model): ) - class UserRole(models.Model): user = models.ForeignKey(User, blank=False, null=False, on_delete=models.CASCADE, related_name='user_roles') role = models.ForeignKey(Role, blank=False, null=False, on_delete=models.CASCADE, related_name='user_roles') diff --git a/server/users/services.py b/server/users/services.py index 2c91049e..0c4d43c0 100644 --- a/server/users/services.py +++ b/server/users/services.py @@ -25,6 +25,7 @@ def create_users(data=None): name='skillbox' ) teacher2 = UserFactory(username='teacher2') + UserRole.objects.create(user=teacher2, role=teacher_role) SchoolClassFactory( users=[teacher2], year='2018',