Refactor permission functions

2023-01-11 10:23:24 +01:00 · 2023-01-11 10:23:24 +01:00 · fb458be776
parent 9fc834e99e
commit fb458be776
2 changed files with 14 additions and 16 deletions
--- a/server/vbv_lernwelt/course/permissions.py
+++ b/server/vbv_lernwelt/course/permissions.py
@ -18,7 +18,7 @@ def has_course_access(user, course_id):
    return False


-def is_course_expert(user, course_id):
+def is_course_expert(user, course_id: int):
    if user.is_superuser:
        return True

@ -41,25 +41,23 @@ def course_sessions_for_user_qs(user):
    return course_sessions


-def is_circle_expert(user, learning_sequence, course) -> bool:
+def is_circle_expert(user, course_session_id: int, learning_sequence_id: int) -> bool:
    if user.is_superuser:
        return True

    try:
-        learning_sequence = LearningSequence.objects.get(id=learning_sequence)
+        learning_sequence = LearningSequence.objects.get(id=learning_sequence_id)
    except LearningSequence.DoesNotExist:
        return False

    circle_id = learning_sequence.get_parent().circle.id

-    try:
-        CourseSessionUser.objects.get(
-            course_session__id=course,
-            user_id=user.id,
-            role=CourseSessionUser.Role.EXPERT,
-            expert__id=circle_id,
-        )
-    except CourseSessionUser.DoesNotExist:
-        return False
+    if CourseSessionUser.objects.filter(
+        id=course_session_id,
+        user=user,
+        role=CourseSessionUser.Role.EXPERT,
+        expert__id=circle_id,
+    ).exists():
+        return True

-    return True
+    return False
--- a/server/vbv_lernwelt/course/views.py
+++ b/server/vbv_lernwelt/course/views.py
@ -15,8 +15,8 @@ from vbv_lernwelt.course.permissions import (
    course_sessions_for_user_qs,
    has_course_access,
    has_course_access_by_page_request,
-    is_course_expert,
    is_circle_expert,
+    is_course_expert,
 )
 from vbv_lernwelt.course.serializers import (
    CourseCompletionSerializer,
@ -161,8 +161,8 @@ def document_upload_start(request):

    if not is_circle_expert(
        request.user,
-        serializer.validated_data["learning_sequence"],
        serializer.validated_data["course_session"],
+        serializer.validated_data["learning_sequence"],
    ):
        raise PermissionDenied()

@ -217,7 +217,7 @@ def document_direct_upload(request, file_id):
 def document_delete(request, document_id):
    document = get_object_or_404(CircleDocument, id=document_id)
    if not is_circle_expert(
-        request.user, document.learning_sequence_id, document.course_session_id
+        request.user, document.course_session.id, document.learning_sequence.id
    ):
        raise PermissionDenied()