feat: add proper permission

server/vbv_lernwelt/course/views.py

@@ -18,12 +18,11 @@ from vbv_lernwelt.course_session_group.models import CourseSessionGroup
 from vbv_lernwelt.files.models import UploadFile
 from vbv_lernwelt.files.services import FileDirectUploadService
 from vbv_lernwelt.iam.permissions import (
+    can_view_course_completions,
     course_sessions_for_user_qs,
     has_course_access,
     has_course_access_by_page_request,
     is_circle_expert,
-    is_course_session_expert,
-    is_user_mentor,
 )
 from vbv_lernwelt.learning_mentor.models import LearningMentor
 
@@ -77,14 +76,8 @@ def request_course_completion(request, course_session_id):
 
 @api_view(["GET"])
 def request_course_completion_for_user(request, course_session_id, user_id):
-    if (
+    if can_view_course_completions(
-        request.user.id == user_id
+        user=request.user, course_session_id=course_session_id, target_user_id=user_id
-        or is_course_session_expert(request.user, course_session_id)
-        or is_user_mentor(
-            mentor=request.user,
-            participant_user_id=user_id,
-            course_session_id=course_session_id,
-        )
     ):
         return _request_course_completion(course_session_id, user_id)
     raise PermissionDenied()

server/vbv_lernwelt/iam/permissions.py

@@ -193,3 +193,17 @@ def can_view_profile(user: User, profile_user: CourseSessionUser) -> bool:
         return True
 
     return False
+
+
+def can_view_course_completions(
+    user: User, course_session_id: int, target_user_id: str
+) -> bool:
+    return (
+        user.id == target_user_id
+        or is_course_session_expert(user=user, course_session_id=course_session_id)
+        or is_user_mentor(
+            mentor=user,
+            participant_user_id=target_user_id,
+            course_session_id=course_session_id,
+        )
+    )