Corrige permissions API partition/groupes. Fixes #704
This commit is contained in:
parent
ec274f0ad6
commit
b13d4df370
@ -176,7 +176,7 @@ def etud_in_group_query(group_id: int):
|
|||||||
@api_web_bp.route("/group/<int:group_id>/set_etudiant/<int:etudid>", methods=["POST"])
|
@api_web_bp.route("/group/<int:group_id>/set_etudiant/<int:etudid>", methods=["POST"])
|
||||||
@login_required
|
@login_required
|
||||||
@scodoc
|
@scodoc
|
||||||
@permission_required(Permission.ScoEtudChangeGroups)
|
@permission_required(Permission.ScoView)
|
||||||
@as_json
|
@as_json
|
||||||
def set_etud_group(etudid: int, group_id: int):
|
def set_etud_group(etudid: int, group_id: int):
|
||||||
"""Affecte l'étudiant au groupe indiqué"""
|
"""Affecte l'étudiant au groupe indiqué"""
|
||||||
@ -189,6 +189,8 @@ def set_etud_group(etudid: int, group_id: int):
|
|||||||
group = query.first_or_404()
|
group = query.first_or_404()
|
||||||
if not group.partition.formsemestre.etat:
|
if not group.partition.formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
|
if not group.partition.formsemestre.can_change_groups():
|
||||||
|
return json_error(401, "opération non autorisée")
|
||||||
if etud.id not in {e.id for e in group.partition.formsemestre.etuds}:
|
if etud.id not in {e.id for e in group.partition.formsemestre.etuds}:
|
||||||
return json_error(404, "etud non inscrit au formsemestre du groupe")
|
return json_error(404, "etud non inscrit au formsemestre du groupe")
|
||||||
|
|
||||||
@ -207,7 +209,7 @@ def set_etud_group(etudid: int, group_id: int):
|
|||||||
)
|
)
|
||||||
@login_required
|
@login_required
|
||||||
@scodoc
|
@scodoc
|
||||||
@permission_required(Permission.ScoEtudChangeGroups)
|
@permission_required(Permission.ScoView)
|
||||||
@as_json
|
@as_json
|
||||||
def group_remove_etud(group_id: int, etudid: int):
|
def group_remove_etud(group_id: int, etudid: int):
|
||||||
"""Retire l'étudiant de ce groupe. S'il n'y est pas, ne fait rien."""
|
"""Retire l'étudiant de ce groupe. S'il n'y est pas, ne fait rien."""
|
||||||
@ -220,6 +222,8 @@ def group_remove_etud(group_id: int, etudid: int):
|
|||||||
group = query.first_or_404()
|
group = query.first_or_404()
|
||||||
if not group.partition.formsemestre.etat:
|
if not group.partition.formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
|
if not group.partition.formsemestre.can_change_groups():
|
||||||
|
return json_error(401, "opération non autorisée")
|
||||||
|
|
||||||
group.remove_etud(etud)
|
group.remove_etud(etud)
|
||||||
|
|
||||||
@ -234,7 +238,7 @@ def group_remove_etud(group_id: int, etudid: int):
|
|||||||
)
|
)
|
||||||
@login_required
|
@login_required
|
||||||
@scodoc
|
@scodoc
|
||||||
@permission_required(Permission.ScoEtudChangeGroups)
|
@permission_required(Permission.ScoView)
|
||||||
@as_json
|
@as_json
|
||||||
def partition_remove_etud(partition_id: int, etudid: int):
|
def partition_remove_etud(partition_id: int, etudid: int):
|
||||||
"""Enlève l'étudiant de tous les groupes de cette partition
|
"""Enlève l'étudiant de tous les groupes de cette partition
|
||||||
@ -247,7 +251,8 @@ def partition_remove_etud(partition_id: int, etudid: int):
|
|||||||
partition = query.first_or_404()
|
partition = query.first_or_404()
|
||||||
if not partition.formsemestre.etat:
|
if not partition.formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
|
if not partition.formsemestre.can_change_groups():
|
||||||
|
return json_error(401, "opération non autorisée")
|
||||||
db.session.execute(
|
db.session.execute(
|
||||||
sa.text(
|
sa.text(
|
||||||
"""DELETE FROM group_membership
|
"""DELETE FROM group_membership
|
||||||
@ -278,7 +283,7 @@ def partition_remove_etud(partition_id: int, etudid: int):
|
|||||||
@api_web_bp.route("/partition/<int:partition_id>/group/create", methods=["POST"])
|
@api_web_bp.route("/partition/<int:partition_id>/group/create", methods=["POST"])
|
||||||
@login_required
|
@login_required
|
||||||
@scodoc
|
@scodoc
|
||||||
@permission_required(Permission.ScoEtudChangeGroups)
|
@permission_required(Permission.ScoView)
|
||||||
@as_json
|
@as_json
|
||||||
def group_create(partition_id: int): # partition-group-create
|
def group_create(partition_id: int): # partition-group-create
|
||||||
"""Création d'un groupe dans une partition
|
"""Création d'un groupe dans une partition
|
||||||
@ -296,6 +301,8 @@ def group_create(partition_id: int): # partition-group-create
|
|||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
if not partition.groups_editable:
|
if not partition.groups_editable:
|
||||||
return json_error(403, "partition non editable")
|
return json_error(403, "partition non editable")
|
||||||
|
if not partition.formsemestre.can_change_groups():
|
||||||
|
return json_error(401, "opération non autorisée")
|
||||||
data = request.get_json(force=True) # may raise 400 Bad Request
|
data = request.get_json(force=True) # may raise 400 Bad Request
|
||||||
group_name = data.get("group_name")
|
group_name = data.get("group_name")
|
||||||
if group_name is None:
|
if group_name is None:
|
||||||
@ -317,7 +324,7 @@ def group_create(partition_id: int): # partition-group-create
|
|||||||
@api_web_bp.route("/group/<int:group_id>/delete", methods=["POST"])
|
@api_web_bp.route("/group/<int:group_id>/delete", methods=["POST"])
|
||||||
@login_required
|
@login_required
|
||||||
@scodoc
|
@scodoc
|
||||||
@permission_required(Permission.ScoEtudChangeGroups)
|
@permission_required(Permission.ScoView)
|
||||||
@as_json
|
@as_json
|
||||||
def group_delete(group_id: int):
|
def group_delete(group_id: int):
|
||||||
"""Suppression d'un groupe"""
|
"""Suppression d'un groupe"""
|
||||||
@ -331,6 +338,8 @@ def group_delete(group_id: int):
|
|||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
if not group.partition.groups_editable:
|
if not group.partition.groups_editable:
|
||||||
return json_error(403, "partition non editable")
|
return json_error(403, "partition non editable")
|
||||||
|
if not group.partition.formsemestre.can_change_groups():
|
||||||
|
return json_error(401, "opération non autorisée")
|
||||||
formsemestre_id = group.partition.formsemestre_id
|
formsemestre_id = group.partition.formsemestre_id
|
||||||
log(f"deleting {group}")
|
log(f"deleting {group}")
|
||||||
db.session.delete(group)
|
db.session.delete(group)
|
||||||
@ -344,7 +353,7 @@ def group_delete(group_id: int):
|
|||||||
@api_web_bp.route("/group/<int:group_id>/edit", methods=["POST"])
|
@api_web_bp.route("/group/<int:group_id>/edit", methods=["POST"])
|
||||||
@login_required
|
@login_required
|
||||||
@scodoc
|
@scodoc
|
||||||
@permission_required(Permission.ScoEtudChangeGroups)
|
@permission_required(Permission.ScoView)
|
||||||
@as_json
|
@as_json
|
||||||
def group_edit(group_id: int):
|
def group_edit(group_id: int):
|
||||||
"""Edit a group"""
|
"""Edit a group"""
|
||||||
@ -358,6 +367,8 @@ def group_edit(group_id: int):
|
|||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
if not group.partition.groups_editable:
|
if not group.partition.groups_editable:
|
||||||
return json_error(403, "partition non editable")
|
return json_error(403, "partition non editable")
|
||||||
|
if not group.partition.formsemestre.can_change_groups():
|
||||||
|
return json_error(401, "opération non autorisée")
|
||||||
data = request.get_json(force=True) # may raise 400 Bad Request
|
data = request.get_json(force=True) # may raise 400 Bad Request
|
||||||
group_name = data.get("group_name")
|
group_name = data.get("group_name")
|
||||||
if group_name is not None:
|
if group_name is not None:
|
||||||
@ -379,7 +390,7 @@ def group_edit(group_id: int):
|
|||||||
)
|
)
|
||||||
@login_required
|
@login_required
|
||||||
@scodoc
|
@scodoc
|
||||||
@permission_required(Permission.ScoEtudChangeGroups)
|
@permission_required(Permission.ScoView)
|
||||||
@as_json
|
@as_json
|
||||||
def partition_create(formsemestre_id: int):
|
def partition_create(formsemestre_id: int):
|
||||||
"""Création d'une partition dans un semestre
|
"""Création d'une partition dans un semestre
|
||||||
@ -399,6 +410,8 @@ def partition_create(formsemestre_id: int):
|
|||||||
formsemestre: FormSemestre = query.first_or_404(formsemestre_id)
|
formsemestre: FormSemestre = query.first_or_404(formsemestre_id)
|
||||||
if not formsemestre.etat:
|
if not formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
|
if not formsemestre.can_change_groups():
|
||||||
|
return json_error(401, "opération non autorisée")
|
||||||
data = request.get_json(force=True) # may raise 400 Bad Request
|
data = request.get_json(force=True) # may raise 400 Bad Request
|
||||||
partition_name = data.get("partition_name")
|
partition_name = data.get("partition_name")
|
||||||
if partition_name is None:
|
if partition_name is None:
|
||||||
@ -442,7 +455,7 @@ def partition_create(formsemestre_id: int):
|
|||||||
)
|
)
|
||||||
@login_required
|
@login_required
|
||||||
@scodoc
|
@scodoc
|
||||||
@permission_required(Permission.ScoEtudChangeGroups)
|
@permission_required(Permission.ScoView)
|
||||||
@as_json
|
@as_json
|
||||||
def formsemestre_order_partitions(formsemestre_id: int):
|
def formsemestre_order_partitions(formsemestre_id: int):
|
||||||
"""Modifie l'ordre des partitions du formsemestre
|
"""Modifie l'ordre des partitions du formsemestre
|
||||||
@ -454,6 +467,8 @@ def formsemestre_order_partitions(formsemestre_id: int):
|
|||||||
formsemestre: FormSemestre = query.first_or_404(formsemestre_id)
|
formsemestre: FormSemestre = query.first_or_404(formsemestre_id)
|
||||||
if not formsemestre.etat:
|
if not formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
|
if not formsemestre.can_change_groups():
|
||||||
|
return json_error(401, "opération non autorisée")
|
||||||
partition_ids = request.get_json(force=True) # may raise 400 Bad Request
|
partition_ids = request.get_json(force=True) # may raise 400 Bad Request
|
||||||
if not isinstance(partition_ids, int) and not all(
|
if not isinstance(partition_ids, int) and not all(
|
||||||
isinstance(x, int) for x in partition_ids
|
isinstance(x, int) for x in partition_ids
|
||||||
@ -480,7 +495,7 @@ def formsemestre_order_partitions(formsemestre_id: int):
|
|||||||
@api_web_bp.route("/partition/<int:partition_id>/groups/order", methods=["POST"])
|
@api_web_bp.route("/partition/<int:partition_id>/groups/order", methods=["POST"])
|
||||||
@login_required
|
@login_required
|
||||||
@scodoc
|
@scodoc
|
||||||
@permission_required(Permission.ScoEtudChangeGroups)
|
@permission_required(Permission.ScoView)
|
||||||
@as_json
|
@as_json
|
||||||
def partition_order_groups(partition_id: int):
|
def partition_order_groups(partition_id: int):
|
||||||
"""Modifie l'ordre des groupes de la partition
|
"""Modifie l'ordre des groupes de la partition
|
||||||
@ -492,6 +507,8 @@ def partition_order_groups(partition_id: int):
|
|||||||
partition: Partition = query.first_or_404()
|
partition: Partition = query.first_or_404()
|
||||||
if not partition.formsemestre.etat:
|
if not partition.formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
|
if not partition.formsemestre.can_change_groups():
|
||||||
|
return json_error(401, "opération non autorisée")
|
||||||
group_ids = request.get_json(force=True) # may raise 400 Bad Request
|
group_ids = request.get_json(force=True) # may raise 400 Bad Request
|
||||||
if not isinstance(group_ids, int) and not all(
|
if not isinstance(group_ids, int) and not all(
|
||||||
isinstance(x, int) for x in group_ids
|
isinstance(x, int) for x in group_ids
|
||||||
@ -515,7 +532,7 @@ def partition_order_groups(partition_id: int):
|
|||||||
@api_web_bp.route("/partition/<int:partition_id>/edit", methods=["POST"])
|
@api_web_bp.route("/partition/<int:partition_id>/edit", methods=["POST"])
|
||||||
@login_required
|
@login_required
|
||||||
@scodoc
|
@scodoc
|
||||||
@permission_required(Permission.ScoEtudChangeGroups)
|
@permission_required(Permission.ScoView)
|
||||||
@as_json
|
@as_json
|
||||||
def partition_edit(partition_id: int):
|
def partition_edit(partition_id: int):
|
||||||
"""Modification d'une partition dans un semestre
|
"""Modification d'une partition dans un semestre
|
||||||
@ -536,6 +553,8 @@ def partition_edit(partition_id: int):
|
|||||||
partition: Partition = query.first_or_404()
|
partition: Partition = query.first_or_404()
|
||||||
if not partition.formsemestre.etat:
|
if not partition.formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
|
if not partition.formsemestre.can_change_groups():
|
||||||
|
return json_error(401, "opération non autorisée")
|
||||||
data = request.get_json(force=True) # may raise 400 Bad Request
|
data = request.get_json(force=True) # may raise 400 Bad Request
|
||||||
modified = False
|
modified = False
|
||||||
partition_name = data.get("partition_name")
|
partition_name = data.get("partition_name")
|
||||||
@ -585,7 +604,7 @@ def partition_edit(partition_id: int):
|
|||||||
@api_web_bp.route("/partition/<int:partition_id>/delete", methods=["POST"])
|
@api_web_bp.route("/partition/<int:partition_id>/delete", methods=["POST"])
|
||||||
@login_required
|
@login_required
|
||||||
@scodoc
|
@scodoc
|
||||||
@permission_required(Permission.ScoEtudChangeGroups)
|
@permission_required(Permission.ScoView)
|
||||||
@as_json
|
@as_json
|
||||||
def partition_delete(partition_id: int):
|
def partition_delete(partition_id: int):
|
||||||
"""Suppression d'une partition (et de tous ses groupes).
|
"""Suppression d'une partition (et de tous ses groupes).
|
||||||
@ -601,6 +620,8 @@ def partition_delete(partition_id: int):
|
|||||||
partition: Partition = query.first_or_404()
|
partition: Partition = query.first_or_404()
|
||||||
if not partition.formsemestre.etat:
|
if not partition.formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
|
if not partition.formsemestre.can_change_groups():
|
||||||
|
return json_error(401, "opération non autorisée")
|
||||||
if not partition.partition_name:
|
if not partition.partition_name:
|
||||||
return json_error(
|
return json_error(
|
||||||
API_CLIENT_ERROR, "ne peut pas supprimer la partition par défaut"
|
API_CLIENT_ERROR, "ne peut pas supprimer la partition par défaut"
|
||||||
|
Loading…
x
Reference in New Issue
Block a user