From 07b3a4e9d5edde9f52531b5d18db182201d33f78 Mon Sep 17 00:00:00 2001
From: Reto Aebersold <aeby@substyle.ch>
Date: Tue, 23 Jan 2024 10:01:22 +0100
Subject: [PATCH] feat: add proper permission

---
 server/vbv_lernwelt/course/views.py    | 13 +++----------
 server/vbv_lernwelt/iam/permissions.py | 14 ++++++++++++++
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/server/vbv_lernwelt/course/views.py b/server/vbv_lernwelt/course/views.py
index d6e8afe6..6c2db3ee 100644
--- a/server/vbv_lernwelt/course/views.py
+++ b/server/vbv_lernwelt/course/views.py
@@ -18,12 +18,11 @@ from vbv_lernwelt.course_session_group.models import CourseSessionGroup
 from vbv_lernwelt.files.models import UploadFile
 from vbv_lernwelt.files.services import FileDirectUploadService
 from vbv_lernwelt.iam.permissions import (
+    can_view_course_completions,
     course_sessions_for_user_qs,
     has_course_access,
     has_course_access_by_page_request,
     is_circle_expert,
-    is_course_session_expert,
-    is_user_mentor,
 )
 from vbv_lernwelt.learning_mentor.models import LearningMentor
 
@@ -77,14 +76,8 @@ def request_course_completion(request, course_session_id):
 
 @api_view(["GET"])
 def request_course_completion_for_user(request, course_session_id, user_id):
-    if (
-        request.user.id == user_id
-        or is_course_session_expert(request.user, course_session_id)
-        or is_user_mentor(
-            mentor=request.user,
-            participant_user_id=user_id,
-            course_session_id=course_session_id,
-        )
+    if can_view_course_completions(
+        user=request.user, course_session_id=course_session_id, target_user_id=user_id
     ):
         return _request_course_completion(course_session_id, user_id)
     raise PermissionDenied()
diff --git a/server/vbv_lernwelt/iam/permissions.py b/server/vbv_lernwelt/iam/permissions.py
index 5a1d7cec..110be65f 100644
--- a/server/vbv_lernwelt/iam/permissions.py
+++ b/server/vbv_lernwelt/iam/permissions.py
@@ -193,3 +193,17 @@ def can_view_profile(user: User, profile_user: CourseSessionUser) -> bool:
         return True
 
     return False
+
+
+def can_view_course_completions(
+    user: User, course_session_id: int, target_user_id: str
+) -> bool:
+    return (
+        user.id == target_user_id
+        or is_course_session_expert(user=user, course_session_id=course_session_id)
+        or is_user_mentor(
+            mentor=user,
+            participant_user_id=target_user_id,
+            course_session_id=course_session_id,
+        )
+    )