ramon
/
vbv
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merged in bugfix/VBV-769-expert-feedback-view (pull request #419) 

Fix index, check if expert is in session and circle

Approved-by: Elia Bieri
This commit is contained in:
Christian Cueni 2024-11-06 14:55:55 +00:00
parent d3f1c2adfa 78ba5cc37f
commit bc55b1b660
5 changed files with 37 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
client/src/components/notifications/NotificationPopover.vue
View File

@ -10,7 +10,7 @@ import { Popover, PopoverButton, PopoverPanel } from "@headlessui/vue";
<PopoverPanel>
<div
class="absolute right-0 z-10 mt-2 bg-white px-4 py-4 shadow-lg ring-1 ring-black ring-opacity-5 focus:outline-none lg:right-2"
class="absolute right-0 z-30 mt-2 bg-white px-4 py-4 shadow-lg ring-1 ring-black ring-opacity-5 focus:outline-none lg:right-2"
>
<!-- To close the popover withing your content, use the 'PopoverButton'
https://headlessui.com/vue/popover#closing-popovers-manually

2
client/src/components/ui/ItFullScreenModal.vue
View File

@ -39,7 +39,7 @@ const removeNoScroll = () => {
<div
v-if="show"
data-cy="full-screen-modal"
class="fixed top-0 h-full w-full overflow-y-scroll bg-white px-4 py-16 lg:px-16 lg:py-24"
class="fixed top-0 z-20 h-full w-full overflow-y-scroll bg-white px-4 py-16 lg:px-16 lg:py-24"
>
<button
type="button"

9
server/vbv_lernwelt/feedback/tests/test_feedback_api.py
View File

@ -149,6 +149,15 @@ class FeedbackRestApiTestCase(FeedbackBaseTestCase):
response.data[0], {"circle_id": self.circle_basis.id, "count": 3}
)
def test_detail_trainer_from_other_session_cannot_fetch_feedback(self):
trainer2 = User.objects.get(email="test-trainer2@example.com")
self.client.force_login(trainer2)
response = self.client.get(
f"/api/core/feedback/{self.course_session.id}/{self.circle_basis.id}/"
)
self.assertEqual(response.status_code, 403)
def test_detail_student_cannot_fetch_feedback(self):
self.client.force_login(self.student)
response = self.client.get(

9
server/vbv_lernwelt/feedback/views.py
View File

@ -7,7 +7,10 @@ from rest_framework.response import Response
from vbv_lernwelt.feedback.models import FeedbackResponse
from vbv_lernwelt.feedback.utils import feedback_users
from vbv_lernwelt.iam.permissions import is_course_session_expert
from vbv_lernwelt.iam.permissions import (
is_circle_expert_by_circle_id,
is_course_session_expert,
)
logger = structlog.get_logger(__name__)
@ -51,7 +54,9 @@ def get_expert_feedbacks_for_course(request, course_session_id):
@api_view(["GET"])
def get_feedback_for_circle(request, course_session_id, circle_id):
if not is_course_session_expert(request.user, course_session_id):
if not is_circle_expert_by_circle_id(
request.user, course_session_id, circle_id, check_supervisor=True
):
raise PermissionDenied()
feedbacks = FeedbackResponse.objects.filter(

20
server/vbv_lernwelt/iam/permissions.py
View File

@ -248,13 +248,31 @@ def is_circle_expert(user, course_session_id: int, learning_sequence_id: int) ->
circle_id = learning_sequence.get_parent().circle.id
return CourseSessionUser.objects.filter(
return is_circle_expert_by_circle_id(user, course_session_id, circle_id)
def is_circle_expert_by_circle_id(
user, course_session_id: int, circle_id: int, check_supervisor=False
) -> bool:
if user.is_superuser:
return True
is_supervisor = (
check_supervisor
and CourseSessionGroup.objects.filter(
supervisor=user, course_session__id=course_session_id
).exists()
)
is_expert = CourseSessionUser.objects.filter(
course_session_id=course_session_id,
user=user,
role=CourseSessionUser.Role.EXPERT,
expert__id=circle_id,
).exists()
return is_supervisor or is_expert
def can_view_course_session_group_statistics(
user: User, group: CourseSessionGroup