Check permissions for accessing user completions

server/config/urls.py

@@ -7,6 +7,9 @@ from django.urls import include, path, re_path
 from django.views import defaults as default_views
 from grapple import urls as grapple_urls
 from ratelimit.exceptions import Ratelimited
+from wagtail import urls as wagtail_urls
+from wagtail.admin import urls as wagtailadmin_urls
+from wagtail.documents import urls as wagtaildocs_urls
 
 from vbv_lernwelt.core.middleware.auth import django_view_authentication_exempt
 from vbv_lernwelt.core.views import (
@@ -32,11 +35,7 @@ from vbv_lernwelt.course.views import (
     request_course_completion,
     request_course_completion_for_user,
 )
-
 from vbv_lernwelt.feedback.views import get_name
-from wagtail import urls as wagtail_urls
-from wagtail.admin import urls as wagtailadmin_urls
-from wagtail.documents import urls as wagtaildocs_urls
 
 
 def raise_example_error(request):
@@ -78,7 +77,7 @@ urlpatterns = [
          name="mark_course_completion"),
     path(r"api/course/completion/<course_id>/", request_course_completion,
          name="request_course_completion"),
-    path(r"api/course/completion/<course_id>/<user_id>/",
+    path(r"api/course/completion/<course_id>/<int:user_id>/",
          request_course_completion_for_user,
          name="request_course_completion_for_user"),
 

server/vbv_lernwelt/course/permissions.py

@@ -3,15 +3,29 @@ from vbv_lernwelt.learnpath.models import LearningSequence
 
 
 def has_course_access_by_page_request(request, obj):
-    return has_course_access(request.user, obj.specific.get_course())
+    return has_course_access(request.user, obj.specific.get_course().id)
 
 
-def has_course_access(user, course):
+def has_course_access(user, course_id):
     if user.is_superuser:
         return True
 
     if CourseSessionUser.objects.filter(
-        course_session__course_id=course.id, user=user
+        course_session__course_id=course_id, user=user
+    ).exists():
+        return True
+
+    return False
+
+
+def is_course_expert(user, course_id):
+    if user.is_superuser:
+        return True
+
+    if CourseSessionUser.objects.filter(
+        course_session__course_id=course_id,
+        user=user,
+        role=CourseSessionUser.Role.EXPERT,
     ).exists():
         return True
 

server/vbv_lernwelt/course/views.py

@@ -14,6 +14,8 @@ from vbv_lernwelt.course.models import (
 from vbv_lernwelt.course.permissions import (
     course_sessions_for_user_qs,
     has_course_access_by_page_request,
+    has_course_access,
+    is_course_expert,
     is_circle_expert,
 )
 from vbv_lernwelt.course.serializers import (
@@ -67,13 +69,16 @@ def _request_course_completion(course_id, user_id):
 
 @api_view(["GET"])
 def request_course_completion(request, course_id):
+    if has_course_access(request.user, course_id):
         return _request_course_completion(course_id, request.user.id)
+    raise PermissionDenied()
 
 
 @api_view(["GET"])
 def request_course_completion_for_user(request, course_id, user_id):
-    # TODO: check permissions to access this users data
+    if request.user.id == user_id or is_course_expert(request.user, course_id):
         return _request_course_completion(course_id, user_id)
+    raise PermissionDenied()
 
 
 @api_view(["POST"])