Merged in bugfix/VBV-769-expert-feedback-view (pull request #419)

Fix index, check if expert is in session and circle

Approved-by: Elia Bieri

client/src/components/notifications/NotificationPopover.vue

@@ -10,7 +10,7 @@ import { Popover, PopoverButton, PopoverPanel } from "@headlessui/vue";
 
     <PopoverPanel>
       <div
-        class="absolute right-0 z-10 mt-2 bg-white px-4 py-4 shadow-lg ring-1 ring-black ring-opacity-5 focus:outline-none lg:right-2"
+        class="absolute right-0 z-30 mt-2 bg-white px-4 py-4 shadow-lg ring-1 ring-black ring-opacity-5 focus:outline-none lg:right-2"
       >
         <!-- To close the popover withing your content, use the 'PopoverButton'
              https://headlessui.com/vue/popover#closing-popovers-manually

client/src/components/ui/ItFullScreenModal.vue

@@ -39,7 +39,7 @@ const removeNoScroll = () => {
     <div
       v-if="show"
       data-cy="full-screen-modal"
-      class="fixed top-0 h-full w-full overflow-y-scroll bg-white px-4 py-16 lg:px-16 lg:py-24"
+      class="fixed top-0 z-20 h-full w-full overflow-y-scroll bg-white px-4 py-16 lg:px-16 lg:py-24"
     >
       <button
         type="button"

server/vbv_lernwelt/feedback/tests/test_feedback_api.py

@@ -149,6 +149,15 @@ class FeedbackRestApiTestCase(FeedbackBaseTestCase):
             response.data[0], {"circle_id": self.circle_basis.id, "count": 3}
         )
 
+    def test_detail_trainer_from_other_session_cannot_fetch_feedback(self):
+        trainer2 = User.objects.get(email="test-trainer2@example.com")
+        self.client.force_login(trainer2)
+        response = self.client.get(
+            f"/api/core/feedback/{self.course_session.id}/{self.circle_basis.id}/"
+        )
+
+        self.assertEqual(response.status_code, 403)
+
     def test_detail_student_cannot_fetch_feedback(self):
         self.client.force_login(self.student)
         response = self.client.get(

server/vbv_lernwelt/feedback/views.py

@@ -7,7 +7,10 @@ from rest_framework.response import Response
 
 from vbv_lernwelt.feedback.models import FeedbackResponse
 from vbv_lernwelt.feedback.utils import feedback_users
-from vbv_lernwelt.iam.permissions import is_course_session_expert
+from vbv_lernwelt.iam.permissions import (
+    is_circle_expert_by_circle_id,
+    is_course_session_expert,
+)
 
 logger = structlog.get_logger(__name__)
 
@@ -51,7 +54,9 @@ def get_expert_feedbacks_for_course(request, course_session_id):
 
 @api_view(["GET"])
 def get_feedback_for_circle(request, course_session_id, circle_id):
-    if not is_course_session_expert(request.user, course_session_id):
+    if not is_circle_expert_by_circle_id(
+        request.user, course_session_id, circle_id, check_supervisor=True
+    ):
         raise PermissionDenied()
 
     feedbacks = FeedbackResponse.objects.filter(

server/vbv_lernwelt/iam/permissions.py

@@ -248,13 +248,31 @@ def is_circle_expert(user, course_session_id: int, learning_sequence_id: int) ->
 
     circle_id = learning_sequence.get_parent().circle.id
 
-    return CourseSessionUser.objects.filter(
+    return is_circle_expert_by_circle_id(user, course_session_id, circle_id)
+
+
+def is_circle_expert_by_circle_id(
+    user, course_session_id: int, circle_id: int, check_supervisor=False
+) -> bool:
+    if user.is_superuser:
+        return True
+
+    is_supervisor = (
+        check_supervisor
+        and CourseSessionGroup.objects.filter(
+            supervisor=user, course_session__id=course_session_id
+        ).exists()
+    )
+
+    is_expert = CourseSessionUser.objects.filter(
         course_session_id=course_session_id,
         user=user,
         role=CourseSessionUser.Role.EXPERT,
         expert__id=circle_id,
     ).exists()
 
+    return is_supervisor or is_expert
+
 
 def can_view_course_session_group_statistics(
     user: User, group: CourseSessionGroup