Add documents permission

server/vbv_lernwelt/course_session/views.py

@@ -4,12 +4,14 @@ from rest_framework.response import Response
 
 from vbv_lernwelt.course.models import CircleDocument
 from vbv_lernwelt.course.serializers import CircleDocumentSerializer
-from vbv_lernwelt.iam.permissions import has_course_session_access
+from vbv_lernwelt.iam.permissions import (
+    has_course_session_document_access,
+)
 
 
 @api_view(["GET"])
 def get_course_session_documents(request, course_session_id):
-    if not has_course_session_access(request.user, course_session_id):
+    if not has_course_session_document_access(request.user, course_session_id):
         raise PermissionDenied()
 
     circle_documents = CircleDocument.objects.filter(

server/vbv_lernwelt/iam/permissions.py

@@ -44,6 +44,19 @@ def has_course_session_access(user, course_session_id: int):
     ).exists()
 
 
+def has_course_session_document_access(user, course_session_id: int):
+    if user.is_superuser:
+        return True
+
+    return (
+        CourseSessionUser.objects.filter(
+            course_session_id=course_session_id, user=user
+        ).exists()
+        or is_course_session_berufsbildner(user, course_session_id)
+        or CourseSessionGroup.objects.filter(course_session=course_session_id, supervisor=user.id).exists()
+    )
+
+
 def has_course_session_preview(user, course_session_id: int):
     if user.is_superuser:
         return True
@@ -336,10 +349,10 @@ def can_view_course_completions(
         str(user.id) == target_user_id
         or is_course_session_expert(user=user, course_session_id=course_session_id)
         or is_agent_for_user(
-            agent=user,
+        agent=user,
-            participant_user_id=target_user_id,
+        participant_user_id=target_user_id,
-            course_session_id=course_session_id,
+        course_session_id=course_session_id,
-        )
+    )
     )
 
 
@@ -370,7 +383,7 @@ def course_session_permissions(user: User, course_session_id: int) -> list[str]:
             "learning-mentor": has_learning_mentor,
             "learning-mentor::edit-mentors": has_learning_mentor and is_member,
             "learning-mentor::guide-members": course_has_learning_mentor
-            and is_learning_mentor,
+                                              and is_learning_mentor,
             "preview": has_course_session_preview(user, course_session_id),
             "media-library": (
                 is_supervisor or is_expert or is_member or is_berufsbildner

server/vbv_lernwelt/iam/tests/test_permissions.py

@@ -0,0 +1,152 @@
+from django.test import TestCase
+
+from vbv_lernwelt.course.creators.test_utils import (
+    create_course,
+    create_course_session,
+    create_user,
+)
+from vbv_lernwelt.course.models import CourseSessionUser
+from vbv_lernwelt.course_session_group.models import CourseSessionGroup
+from vbv_lernwelt.iam.permissions import (
+    has_course_session_document_access,
+)
+from vbv_lernwelt.learning_mentor.models import (
+    AgentParticipantRelation,
+    AgentParticipantRoleType,
+)
+
+
+class PermissionsTestCase(TestCase):
+    def setUp(self):
+        self.course, _ = create_course("Test Course")
+        self.course_session = create_course_session(
+            course=self.course, title="Test Session"
+        )
+
+        self.other_course_session = create_course_session(
+            course=self.course, title="Other Session"
+        )
+
+        self.user = create_user("user")
+
+    def test_regionenleiter_has_course_session_document_access(self):
+        # GIVEN
+        csg = CourseSessionGroup.objects.create(name="Test Group", course=self.course)
+        csg.course_session.add(self.course_session)
+        csg.supervisor.add(self.user)
+
+        # WHEN
+        has_access = has_course_session_document_access(self.user, self.course_session.id)
+
+        some = CourseSessionGroup.objects.filter(course_session=self.course_session.id, supervisor=self.user.id)
+        print(some)
+
+        # THEN
+        self.assertTrue(has_access)
+
+    def test_regionenleiter_has_no_course_session_document_access(self):
+        # GIVEN
+        csg = CourseSessionGroup.objects.create(name="Test Group", course=self.course)
+        csg.course_session.add(self.other_course_session)
+        csg.supervisor.add(self.user)
+
+        # WHEN
+        has_access = has_course_session_document_access(self.user, self.course_session.id)
+
+        some = CourseSessionGroup.objects.filter(course_session=self.course_session.id, supervisor=self.user.id)
+        print(some)
+
+        # THEN
+        self.assertFalse(has_access)
+
+    def test_expert_has_course_session_document_access(self):
+        # GIVEN
+        _csu = CourseSessionUser.objects.create(
+            course_session=self.course_session,
+            user=self.user,
+            role=CourseSessionUser.Role.EXPERT,
+        )
+
+        # WHEN
+        has_access = has_course_session_document_access(self.user, self.course_session.id)
+
+        # THEN
+        self.assertTrue(has_access)
+
+    def test_expert_has_no_course_session_document_access(self):
+        # GIVEN
+        _csu = CourseSessionUser.objects.create(
+            course_session=self.course_session,
+            user=self.user,
+            role=CourseSessionUser.Role.EXPERT,
+        )
+
+        # WHEN
+        has_access = has_course_session_document_access(self.user, self.other_course_session.id)
+
+        # THEN
+        self.assertFalse(has_access)
+
+    def test_member_has_course_session_document_access(self):
+        # GIVEN
+        _csu = CourseSessionUser.objects.create(
+            course_session=self.course_session,
+            user=self.user,
+            role=CourseSessionUser.Role.MEMBER,
+        )
+
+        # WHEN
+        has_access = has_course_session_document_access(self.user, self.course_session.id)
+
+        # THEN
+        self.assertTrue(has_access)
+
+    def test_member_has_no_course_session_document_access(self):
+        # GIVEN
+        _csu = CourseSessionUser.objects.create(
+            course_session=self.course_session,
+            user=self.user,
+            role=CourseSessionUser.Role.MEMBER,
+        )
+
+        # WHEN
+        has_access = has_course_session_document_access(self.user, self.other_course_session.id)
+
+        # THEN
+        self.assertFalse(has_access)
+
+    def test_berufsbildner_has_course_session_document_access(self):
+        # GIVEN
+        member = create_user("member")
+        _csu = CourseSessionUser.objects.create(
+            course_session=self.course_session,
+            user=member,
+            role=CourseSessionUser.Role.MEMBER,
+        )
+
+        AgentParticipantRelation.objects.create(agent=self.user, participant=_csu,
+                                                role=AgentParticipantRoleType.BERUFSBILDNER.value)
+
+        # WHEN
+        has_access = has_course_session_document_access(self.user, self.course_session.id)
+
+        # THEN
+        self.assertTrue(has_access)
+
+    def test_berufsbildner_has_no_course_session_document_access(self):
+        # GIVEN
+        member = create_user("member")
+        _csu = CourseSessionUser.objects.create(
+            course_session=self.other_course_session,
+            user=member,
+            role=CourseSessionUser.Role.MEMBER,
+        )
+
+        AgentParticipantRelation.objects.create(agent=self.user, participant=_csu,
+                                                role=AgentParticipantRoleType.BERUFSBILDNER.value)
+
+        # WHEN
+        has_access = has_course_session_document_access(self.user, self.course_session.id)
+
+        # THEN
+        self.assertFalse(has_access)