From 597c9f267bd5cb42c81a70606b468c4953839ffd Mon Sep 17 00:00:00 2001 From: Daniel Egger Date: Mon, 9 Jan 2023 17:30:19 +0100 Subject: [PATCH] Check permissions for accessing user completions --- server/config/urls.py | 9 ++++----- server/vbv_lernwelt/course/permissions.py | 20 +++++++++++++++++--- server/vbv_lernwelt/course/views.py | 11 ++++++++--- 3 files changed, 29 insertions(+), 11 deletions(-) diff --git a/server/config/urls.py b/server/config/urls.py index de00dc75..885cf4c4 100644 --- a/server/config/urls.py +++ b/server/config/urls.py @@ -7,6 +7,9 @@ from django.urls import include, path, re_path from django.views import defaults as default_views from grapple import urls as grapple_urls from ratelimit.exceptions import Ratelimited +from wagtail import urls as wagtail_urls +from wagtail.admin import urls as wagtailadmin_urls +from wagtail.documents import urls as wagtaildocs_urls from vbv_lernwelt.core.middleware.auth import django_view_authentication_exempt from vbv_lernwelt.core.views import ( @@ -32,11 +35,7 @@ from vbv_lernwelt.course.views import ( request_course_completion, request_course_completion_for_user, ) - from vbv_lernwelt.feedback.views import get_name -from wagtail import urls as wagtail_urls -from wagtail.admin import urls as wagtailadmin_urls -from wagtail.documents import urls as wagtaildocs_urls def raise_example_error(request): @@ -78,7 +77,7 @@ urlpatterns = [ name="mark_course_completion"), path(r"api/course/completion//", request_course_completion, name="request_course_completion"), - path(r"api/course/completion///", + path(r"api/course/completion///", request_course_completion_for_user, name="request_course_completion_for_user"), diff --git a/server/vbv_lernwelt/course/permissions.py b/server/vbv_lernwelt/course/permissions.py index ce39431b..54619d0d 100644 --- a/server/vbv_lernwelt/course/permissions.py +++ b/server/vbv_lernwelt/course/permissions.py @@ -3,15 +3,29 @@ from vbv_lernwelt.learnpath.models import LearningSequence def has_course_access_by_page_request(request, obj): - return has_course_access(request.user, obj.specific.get_course()) + return has_course_access(request.user, obj.specific.get_course().id) -def has_course_access(user, course): +def has_course_access(user, course_id): if user.is_superuser: return True if CourseSessionUser.objects.filter( - course_session__course_id=course.id, user=user + course_session__course_id=course_id, user=user + ).exists(): + return True + + return False + + +def is_course_expert(user, course_id): + if user.is_superuser: + return True + + if CourseSessionUser.objects.filter( + course_session__course_id=course_id, + user=user, + role=CourseSessionUser.Role.EXPERT, ).exists(): return True diff --git a/server/vbv_lernwelt/course/views.py b/server/vbv_lernwelt/course/views.py index 72626a01..3511171f 100644 --- a/server/vbv_lernwelt/course/views.py +++ b/server/vbv_lernwelt/course/views.py @@ -14,6 +14,8 @@ from vbv_lernwelt.course.models import ( from vbv_lernwelt.course.permissions import ( course_sessions_for_user_qs, has_course_access_by_page_request, + has_course_access, + is_course_expert, is_circle_expert, ) from vbv_lernwelt.course.serializers import ( @@ -67,13 +69,16 @@ def _request_course_completion(course_id, user_id): @api_view(["GET"]) def request_course_completion(request, course_id): - return _request_course_completion(course_id, request.user.id) + if has_course_access(request.user, course_id): + return _request_course_completion(course_id, request.user.id) + raise PermissionDenied() @api_view(["GET"]) def request_course_completion_for_user(request, course_id, user_id): - # TODO: check permissions to access this users data - return _request_course_completion(course_id, user_id) + if request.user.id == user_id or is_course_expert(request.user, course_id): + return _request_course_completion(course_id, user_id) + raise PermissionDenied() @api_view(["POST"])