From bcf5676afdc7992d31706d9b6157d14c5774387b Mon Sep 17 00:00:00 2001
From: Christian Cueni <christian.cueni@iterativ.ch>
Date: Wed, 29 May 2024 11:40:17 +0200
Subject: [PATCH] wip: Add access tests

---
 .../vbv_lernwelt/core/create_default_users.py |  2 +-
 .../dashboard/tests/test_views.py             | 44 +++++++++++++++++++
 server/vbv_lernwelt/dashboard/views.py        |  4 +-
 3 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/server/vbv_lernwelt/core/create_default_users.py b/server/vbv_lernwelt/core/create_default_users.py
index e9b8aba8..971d15b6 100644
--- a/server/vbv_lernwelt/core/create_default_users.py
+++ b/server/vbv_lernwelt/core/create_default_users.py
@@ -79,7 +79,7 @@ AVATAR_DIR = settings.APPS_DIR / "static" / "avatars"
 
 def create_default_users(default_password="test", set_avatar=False):
     admin_group, created = Group.objects.get_or_create(name="admin_group")
-    _content_creator_grop, _created = Group.objects.get_or_create(
+    _content_creator_group, _created = Group.objects.get_or_create(
         name="content_creator_grop"
     )
     student_group, created = Group.objects.get_or_create(name="student_group")
diff --git a/server/vbv_lernwelt/dashboard/tests/test_views.py b/server/vbv_lernwelt/dashboard/tests/test_views.py
index ddd0d248..015360d2 100644
--- a/server/vbv_lernwelt/dashboard/tests/test_views.py
+++ b/server/vbv_lernwelt/dashboard/tests/test_views.py
@@ -5,7 +5,14 @@ from vbv_lernwelt.assignment.models import (
     AssignmentCompletion,
     AssignmentCompletionStatus,
 )
+from vbv_lernwelt.core.constants import (
+    TEST_COURSE_SESSION_BERN_ID,
+    TEST_COURSE_SESSION_ZURICH_ID,
+    TEST_STUDENT1_USER_ID,
+    TEST_SUPERVISOR1_USER_ID,
+)
 from vbv_lernwelt.core.create_default_users import create_default_users
+from vbv_lernwelt.core.models import User
 from vbv_lernwelt.course.creators.test_course import create_test_course
 from vbv_lernwelt.course.creators.test_utils import (
     add_course_session_group_supervisor,
@@ -17,6 +24,7 @@ from vbv_lernwelt.course.creators.test_utils import (
 )
 from vbv_lernwelt.course.models import Course, CourseSession, CourseSessionUser
 from vbv_lernwelt.dashboard.views import (
+    _get_allowed_course_session_ids_for_user,
     _get_mentee_count,
     _get_mentor_open_tasks_count,
     get_course_config,
@@ -432,3 +440,39 @@ class GetMentorOpenTasksTestCase(BaseMentorAssignmentTestCase):
             completion_status=AssignmentCompletionStatus.SUBMITTED.value,
             count=0,
         )
+
+
+class ExportXlsTestCase(TestCase):
+    def setUp(self):
+        create_default_users()
+        create_test_course(include_vv=False, with_sessions=True)
+
+    def test_can_export_cs_dats(self):
+        # supervisor sees all cs in region
+        supervisor = User.objects.get(id=TEST_SUPERVISOR1_USER_ID)
+        requested_cs_ids = [TEST_COURSE_SESSION_ZURICH_ID, TEST_COURSE_SESSION_BERN_ID]
+
+        allowed_cs_id = _get_allowed_course_session_ids_for_user(
+            supervisor, requested_cs_ids
+        )
+        self.assertCountEqual(requested_cs_ids, allowed_cs_id)
+
+    def test_student_cannot_export_data(self):
+        # student cannot export any data
+        student = User.objects.get(id=TEST_STUDENT1_USER_ID)
+        requested_cs_ids = [TEST_COURSE_SESSION_ZURICH_ID]
+
+        allowed_cs_id = _get_allowed_course_session_ids_for_user(
+            student, requested_cs_ids
+        )
+        self.assertCountEqual([], allowed_cs_id)
+
+    def test_trainer_cannot_export_other_cs(self):
+        # trainer can only export cs where she is assigned
+        student = User.objects.get(email="test-trainer2@example.com")
+        requested_cs_ids = [TEST_COURSE_SESSION_BERN_ID, TEST_COURSE_SESSION_ZURICH_ID]
+
+        allowed_cs_id = _get_allowed_course_session_ids_for_user(
+            student, requested_cs_ids
+        )
+        self.assertCountEqual([TEST_COURSE_SESSION_ZURICH_ID], allowed_cs_id)
diff --git a/server/vbv_lernwelt/dashboard/views.py b/server/vbv_lernwelt/dashboard/views.py
index f9efbd4e..e28d474a 100644
--- a/server/vbv_lernwelt/dashboard/views.py
+++ b/server/vbv_lernwelt/dashboard/views.py
@@ -568,13 +568,13 @@ def _generate_xls_export(request, export_fn) -> HttpResponse:
 def _get_allowed_course_session_ids_for_user(
     user: User, requested_cs_ids: List[str]
 ) -> List[str]:
-    ALLOWED_ROLES = ["TRAINER", "SUPERVISOR"]
+    ALLOWED_ROLES = ["EXPERT", "SUPERVISOR"]
     # 1. get course sessions for user with allowed roles
     # 2. get overlapping course sessions with given course_session_ids
     # Note: We don't care about the circle_ids as it's ok-ish that trainers could export other data
     all_cs_ids_for_user = [
         csr._original.id
         for csr in get_course_sessions_with_roles_for_user(user)
-        if any(allowed_role in ALLOWED_ROLES for role in csr.roles)
+        if any(role in ALLOWED_ROLES for role in csr.roles)
     ]  # noqa
     return list(set(requested_cs_ids) & set(all_cs_ids_for_user))