From d80400ea8c4f40b1913eec5c70c0044af3ff41f4 Mon Sep 17 00:00:00 2001 From: Daniel Egger Date: Thu, 21 Sep 2023 08:59:05 +0200 Subject: [PATCH] VBV-525: Fix feedback data rest endpoint --- server/vbv_lernwelt/feedback/views.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/server/vbv_lernwelt/feedback/views.py b/server/vbv_lernwelt/feedback/views.py index 3a708dca..d00ab5ec 100644 --- a/server/vbv_lernwelt/feedback/views.py +++ b/server/vbv_lernwelt/feedback/views.py @@ -2,8 +2,10 @@ import itertools import structlog from rest_framework.decorators import api_view +from rest_framework.exceptions import PermissionDenied from rest_framework.response import Response +from vbv_lernwelt.course.permissions import is_course_session_expert from vbv_lernwelt.feedback.models import FeedbackResponse logger = structlog.get_logger(__name__) @@ -24,8 +26,11 @@ FEEDBACK_FIELDS = [ @api_view(["GET"]) def get_expert_feedbacks_for_course(request, course_session_id): + if not is_course_session_expert(request.user, course_session_id): + raise PermissionDenied() + feedbacks = FeedbackResponse.objects.filter( - course_session__id=course_session_id, circle__expert__user=request.user + course_session__id=course_session_id ).order_by("circle_id") circle_count = [] @@ -44,9 +49,11 @@ def get_expert_feedbacks_for_course(request, course_session_id): @api_view(["GET"]) def get_feedback_for_circle(request, course_session_id, circle_id): + if not is_course_session_expert(request.user, course_session_id): + raise PermissionDenied() + feedbacks = FeedbackResponse.objects.filter( course_session__id=course_session_id, - circle__expert__user=request.user, circle_id=circle_id, ).order_by("created_at")