Fix index, check if expert is in session and circle

2024-10-30 11:20:21 +01:00 · 2024-10-30 11:20:21 +01:00 · 8c8b11b354
parent 345e935655
commit 8c8b11b354
4 changed files with 36 additions and 4 deletions
--- a/client/src/components/ui/ItFullScreenModal.vue
+++ b/client/src/components/ui/ItFullScreenModal.vue
@ -39,7 +39,7 @@ const removeNoScroll = () => {
    <div
      v-if="show"
      data-cy="full-screen-modal"
-      class="fixed top-0 h-full w-full overflow-y-scroll bg-white px-4 py-16 lg:px-16 lg:py-24"
+      class="fixed top-0 z-20 h-full w-full overflow-y-scroll bg-white px-4 py-16 lg:px-16 lg:py-24"
    >
      <button
        type="button"
--- a/server/vbv_lernwelt/feedback/tests/test_feedback_api.py
+++ b/server/vbv_lernwelt/feedback/tests/test_feedback_api.py
@ -149,6 +149,15 @@ class FeedbackRestApiTestCase(FeedbackBaseTestCase):
            response.data[0], {"circle_id": self.circle_basis.id, "count": 3}
        )

+    def test_detail_trainer_from_other_session_cannot_fetch_feedback(self):
+        trainer2 = User.objects.get(email="test-trainer2@example.com")
+        self.client.force_login(trainer2)
+        response = self.client.get(
+            f"/api/core/feedback/{self.course_session.id}/{self.circle_basis.id}/"
+        )
+
+        self.assertEqual(response.status_code, 403)
+
    def test_detail_student_cannot_fetch_feedback(self):
        self.client.force_login(self.student)
        response = self.client.get(
--- a/server/vbv_lernwelt/feedback/views.py
+++ b/server/vbv_lernwelt/feedback/views.py
@ -7,7 +7,10 @@ from rest_framework.response import Response

 from vbv_lernwelt.feedback.models import FeedbackResponse
 from vbv_lernwelt.feedback.utils import feedback_users
-from vbv_lernwelt.iam.permissions import is_course_session_expert
+from vbv_lernwelt.iam.permissions import (
+    is_circle_expert_by_circle_id,
+    is_course_session_expert,
+)

 logger = structlog.get_logger(__name__)

@ -51,7 +54,9 @@ def get_expert_feedbacks_for_course(request, course_session_id):

@api_view(["GET"])
 def get_feedback_for_circle(request, course_session_id, circle_id):
-    if not is_course_session_expert(request.user, course_session_id):
+    if not is_circle_expert_by_circle_id(
+        request.user, course_session_id, circle_id, check_supervisor=True
+    ):
        raise PermissionDenied()

    feedbacks = FeedbackResponse.objects.filter(
--- a/server/vbv_lernwelt/iam/permissions.py
+++ b/server/vbv_lernwelt/iam/permissions.py
@ -248,13 +248,31 @@ def is_circle_expert(user, course_session_id: int, learning_sequence_id: int) ->

    circle_id = learning_sequence.get_parent().circle.id

-    return CourseSessionUser.objects.filter(
+    return is_circle_expert_by_circle_id(user, course_session_id, circle_id)
+
+
+def is_circle_expert_by_circle_id(
+    user, course_session_id: int, circle_id: int, check_supervisor=False
+) -> bool:
+    if user.is_superuser:
+        return True
+
+    is_supervisor = (
+        CourseSessionGroup.objects.filter(
+            supervisor=user, course_session__id=course_session_id
+        ).exists()
+        and check_supervisor
+    )
+
+    is_expert = CourseSessionUser.objects.filter(
        course_session_id=course_session_id,
        user=user,
        role=CourseSessionUser.Role.EXPERT,
        expert__id=circle_id,
    ).exists()

+    return is_supervisor or is_expert
+

 def can_view_course_session_group_statistics(
    user: User, group: CourseSessionGroup