From e989a4ffa8b59fefb100841b18e3aea342308faf Mon Sep 17 00:00:00 2001
From: Lyanis Souidi <code@lyanis.dev>
Date: Sat, 10 Feb 2024 15:53:57 +0100
Subject: [PATCH] =?UTF-8?q?Restreint=20l'acc=C3=A8s=20aux=20annotations=20?=
 =?UTF-8?q?via=20l'API=20=C3=A0=20la=20permission=20ViewEtudData?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/models/etudiants.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/app/models/etudiants.py b/app/models/etudiants.py
index 21b8d1ce..86490dd3 100644
--- a/app/models/etudiants.py
+++ b/app/models/etudiants.py
@@ -519,7 +519,7 @@ class Identite(models.ScoDocModel):
         e.pop("departement", None)
         e["sort_key"] = self.sort_key
         e["annotations"] = [
-            annot.to_dict()
+            annot.to_dict(restrict=restrict)
             for annot in EtudAnnotation.query.filter_by(etudid=self.id).order_by(
                 desc(EtudAnnotation.date)
             )
@@ -1082,10 +1082,14 @@ class EtudAnnotation(db.Model):
     author = db.Column(db.Text)  # le pseudo (user_name), was zope_authenticated_user
     comment = db.Column(db.Text)
 
-    def to_dict(self):
-        """Représentation dictionnaire."""
+    protected_attrs = {"comment"}
+
+    def to_dict(self, restrict=False):
+        """Représentation dictionnaire. Si restrict, filtre les champs protégés (RGPD)."""
         e = dict(self.__dict__)
         e.pop("_sa_instance_state", None)
+        if restrict:
+            e = {k: v for (k, v) in e.items() if k not in self.protected_attrs}
         return e