wip: Add access tests

server/vbv_lernwelt/core/create_default_users.py

@@ -79,7 +79,7 @@ AVATAR_DIR = settings.APPS_DIR / "static" / "avatars"
 
 def create_default_users(default_password="test", set_avatar=False):
     admin_group, created = Group.objects.get_or_create(name="admin_group")
-    _content_creator_grop, _created = Group.objects.get_or_create(
+    _content_creator_group, _created = Group.objects.get_or_create(
         name="content_creator_grop"
     )
     student_group, created = Group.objects.get_or_create(name="student_group")

server/vbv_lernwelt/dashboard/tests/test_views.py

@@ -5,7 +5,14 @@ from vbv_lernwelt.assignment.models import (
     AssignmentCompletion,
     AssignmentCompletionStatus,
 )
+from vbv_lernwelt.core.constants import (
+    TEST_COURSE_SESSION_BERN_ID,
+    TEST_COURSE_SESSION_ZURICH_ID,
+    TEST_STUDENT1_USER_ID,
+    TEST_SUPERVISOR1_USER_ID,
+)
 from vbv_lernwelt.core.create_default_users import create_default_users
+from vbv_lernwelt.core.models import User
 from vbv_lernwelt.course.creators.test_course import create_test_course
 from vbv_lernwelt.course.creators.test_utils import (
     add_course_session_group_supervisor,
@@ -17,6 +24,7 @@ from vbv_lernwelt.course.creators.test_utils import (
 )
 from vbv_lernwelt.course.models import Course, CourseSession, CourseSessionUser
 from vbv_lernwelt.dashboard.views import (
+    _get_allowed_course_session_ids_for_user,
     _get_mentee_count,
     _get_mentor_open_tasks_count,
     get_course_config,
@@ -432,3 +440,39 @@ class GetMentorOpenTasksTestCase(BaseMentorAssignmentTestCase):
             completion_status=AssignmentCompletionStatus.SUBMITTED.value,
             count=0,
         )
+
+
+class ExportXlsTestCase(TestCase):
+    def setUp(self):
+        create_default_users()
+        create_test_course(include_vv=False, with_sessions=True)
+
+    def test_can_export_cs_dats(self):
+        # supervisor sees all cs in region
+        supervisor = User.objects.get(id=TEST_SUPERVISOR1_USER_ID)
+        requested_cs_ids = [TEST_COURSE_SESSION_ZURICH_ID, TEST_COURSE_SESSION_BERN_ID]
+
+        allowed_cs_id = _get_allowed_course_session_ids_for_user(
+            supervisor, requested_cs_ids
+        )
+        self.assertCountEqual(requested_cs_ids, allowed_cs_id)
+
+    def test_student_cannot_export_data(self):
+        # student cannot export any data
+        student = User.objects.get(id=TEST_STUDENT1_USER_ID)
+        requested_cs_ids = [TEST_COURSE_SESSION_ZURICH_ID]
+
+        allowed_cs_id = _get_allowed_course_session_ids_for_user(
+            student, requested_cs_ids
+        )
+        self.assertCountEqual([], allowed_cs_id)
+
+    def test_trainer_cannot_export_other_cs(self):
+        # trainer can only export cs where she is assigned
+        student = User.objects.get(email="test-trainer2@example.com")
+        requested_cs_ids = [TEST_COURSE_SESSION_BERN_ID, TEST_COURSE_SESSION_ZURICH_ID]
+
+        allowed_cs_id = _get_allowed_course_session_ids_for_user(
+            student, requested_cs_ids
+        )
+        self.assertCountEqual([TEST_COURSE_SESSION_ZURICH_ID], allowed_cs_id)

server/vbv_lernwelt/dashboard/views.py

@@ -568,13 +568,13 @@ def _generate_xls_export(request, export_fn) -> HttpResponse:
 def _get_allowed_course_session_ids_for_user(
     user: User, requested_cs_ids: List[str]
 ) -> List[str]:
-    ALLOWED_ROLES = ["TRAINER", "SUPERVISOR"]
+    ALLOWED_ROLES = ["EXPERT", "SUPERVISOR"]
     # 1. get course sessions for user with allowed roles
     # 2. get overlapping course sessions with given course_session_ids
     # Note: We don't care about the circle_ids as it's ok-ish that trainers could export other data
     all_cs_ids_for_user = [
         csr._original.id
         for csr in get_course_sessions_with_roles_for_user(user)
-        if any(allowed_role in ALLOWED_ROLES for role in csr.roles)
+        if any(role in ALLOWED_ROLES for role in csr.roles)
     ]  # noqa
     return list(set(requested_cs_ids) & set(all_cs_ids_for_user))