diff --git a/server/vbv_lernwelt/course_session/views.py b/server/vbv_lernwelt/course_session/views.py index ac4af629..8839da3b 100644 --- a/server/vbv_lernwelt/course_session/views.py +++ b/server/vbv_lernwelt/course_session/views.py @@ -4,12 +4,14 @@ from rest_framework.response import Response from vbv_lernwelt.course.models import CircleDocument from vbv_lernwelt.course.serializers import CircleDocumentSerializer -from vbv_lernwelt.iam.permissions import has_course_session_access +from vbv_lernwelt.iam.permissions import ( + has_course_session_document_access, +) @api_view(["GET"]) def get_course_session_documents(request, course_session_id): - if not has_course_session_access(request.user, course_session_id): + if not has_course_session_document_access(request.user, course_session_id): raise PermissionDenied() circle_documents = CircleDocument.objects.filter( diff --git a/server/vbv_lernwelt/iam/permissions.py b/server/vbv_lernwelt/iam/permissions.py index 23a7cc2a..1a5971f9 100644 --- a/server/vbv_lernwelt/iam/permissions.py +++ b/server/vbv_lernwelt/iam/permissions.py @@ -44,6 +44,19 @@ def has_course_session_access(user, course_session_id: int): ).exists() +def has_course_session_document_access(user, course_session_id: int): + if user.is_superuser: + return True + + return ( + CourseSessionUser.objects.filter( + course_session_id=course_session_id, user=user + ).exists() + or is_course_session_berufsbildner(user, course_session_id) + or CourseSessionGroup.objects.filter(course_session=course_session_id, supervisor=user.id).exists() + ) + + def has_course_session_preview(user, course_session_id: int): if user.is_superuser: return True @@ -336,10 +349,10 @@ def can_view_course_completions( str(user.id) == target_user_id or is_course_session_expert(user=user, course_session_id=course_session_id) or is_agent_for_user( - agent=user, - participant_user_id=target_user_id, - course_session_id=course_session_id, - ) + agent=user, + participant_user_id=target_user_id, + course_session_id=course_session_id, + ) ) @@ -370,7 +383,7 @@ def course_session_permissions(user: User, course_session_id: int) -> list[str]: "learning-mentor": has_learning_mentor, "learning-mentor::edit-mentors": has_learning_mentor and is_member, "learning-mentor::guide-members": course_has_learning_mentor - and is_learning_mentor, + and is_learning_mentor, "preview": has_course_session_preview(user, course_session_id), "media-library": ( is_supervisor or is_expert or is_member or is_berufsbildner diff --git a/server/vbv_lernwelt/iam/tests/test_permissions.py b/server/vbv_lernwelt/iam/tests/test_permissions.py new file mode 100644 index 00000000..872fb5e7 --- /dev/null +++ b/server/vbv_lernwelt/iam/tests/test_permissions.py @@ -0,0 +1,152 @@ +from django.test import TestCase + +from vbv_lernwelt.course.creators.test_utils import ( + create_course, + create_course_session, + create_user, +) +from vbv_lernwelt.course.models import CourseSessionUser +from vbv_lernwelt.course_session_group.models import CourseSessionGroup +from vbv_lernwelt.iam.permissions import ( + has_course_session_document_access, +) +from vbv_lernwelt.learning_mentor.models import ( + AgentParticipantRelation, + AgentParticipantRoleType, +) + + +class PermissionsTestCase(TestCase): + def setUp(self): + self.course, _ = create_course("Test Course") + self.course_session = create_course_session( + course=self.course, title="Test Session" + ) + + self.other_course_session = create_course_session( + course=self.course, title="Other Session" + ) + + self.user = create_user("user") + + def test_regionenleiter_has_course_session_document_access(self): + # GIVEN + csg = CourseSessionGroup.objects.create(name="Test Group", course=self.course) + csg.course_session.add(self.course_session) + csg.supervisor.add(self.user) + + # WHEN + has_access = has_course_session_document_access(self.user, self.course_session.id) + + some = CourseSessionGroup.objects.filter(course_session=self.course_session.id, supervisor=self.user.id) + print(some) + + # THEN + self.assertTrue(has_access) + + def test_regionenleiter_has_no_course_session_document_access(self): + # GIVEN + csg = CourseSessionGroup.objects.create(name="Test Group", course=self.course) + csg.course_session.add(self.other_course_session) + csg.supervisor.add(self.user) + + # WHEN + has_access = has_course_session_document_access(self.user, self.course_session.id) + + some = CourseSessionGroup.objects.filter(course_session=self.course_session.id, supervisor=self.user.id) + print(some) + + # THEN + self.assertFalse(has_access) + + def test_expert_has_course_session_document_access(self): + # GIVEN + _csu = CourseSessionUser.objects.create( + course_session=self.course_session, + user=self.user, + role=CourseSessionUser.Role.EXPERT, + ) + + # WHEN + has_access = has_course_session_document_access(self.user, self.course_session.id) + + # THEN + self.assertTrue(has_access) + + def test_expert_has_no_course_session_document_access(self): + # GIVEN + _csu = CourseSessionUser.objects.create( + course_session=self.course_session, + user=self.user, + role=CourseSessionUser.Role.EXPERT, + ) + + # WHEN + has_access = has_course_session_document_access(self.user, self.other_course_session.id) + + # THEN + self.assertFalse(has_access) + + def test_member_has_course_session_document_access(self): + # GIVEN + _csu = CourseSessionUser.objects.create( + course_session=self.course_session, + user=self.user, + role=CourseSessionUser.Role.MEMBER, + ) + + # WHEN + has_access = has_course_session_document_access(self.user, self.course_session.id) + + # THEN + self.assertTrue(has_access) + + def test_member_has_no_course_session_document_access(self): + # GIVEN + _csu = CourseSessionUser.objects.create( + course_session=self.course_session, + user=self.user, + role=CourseSessionUser.Role.MEMBER, + ) + + # WHEN + has_access = has_course_session_document_access(self.user, self.other_course_session.id) + + # THEN + self.assertFalse(has_access) + + def test_berufsbildner_has_course_session_document_access(self): + # GIVEN + member = create_user("member") + _csu = CourseSessionUser.objects.create( + course_session=self.course_session, + user=member, + role=CourseSessionUser.Role.MEMBER, + ) + + AgentParticipantRelation.objects.create(agent=self.user, participant=_csu, + role=AgentParticipantRoleType.BERUFSBILDNER.value) + + # WHEN + has_access = has_course_session_document_access(self.user, self.course_session.id) + + # THEN + self.assertTrue(has_access) + + def test_berufsbildner_has_no_course_session_document_access(self): + # GIVEN + member = create_user("member") + _csu = CourseSessionUser.objects.create( + course_session=self.other_course_session, + user=member, + role=CourseSessionUser.Role.MEMBER, + ) + + AgentParticipantRelation.objects.create(agent=self.user, participant=_csu, + role=AgentParticipantRoleType.BERUFSBILDNER.value) + + # WHEN + has_access = has_course_session_document_access(self.user, self.course_session.id) + + # THEN + self.assertFalse(has_access)