1
0
forked from ScoDoc/ScoDoc

Corrige permissions API partition/groupes. Fixes #704

This commit is contained in:
Emmanuel Viennet 2023-09-02 23:12:41 +02:00 committed by iziram
parent ec274f0ad6
commit b13d4df370

View File

@ -176,7 +176,7 @@ def etud_in_group_query(group_id: int):
@api_web_bp.route("/group/<int:group_id>/set_etudiant/<int:etudid>", methods=["POST"]) @api_web_bp.route("/group/<int:group_id>/set_etudiant/<int:etudid>", methods=["POST"])
@login_required @login_required
@scodoc @scodoc
@permission_required(Permission.ScoEtudChangeGroups) @permission_required(Permission.ScoView)
@as_json @as_json
def set_etud_group(etudid: int, group_id: int): def set_etud_group(etudid: int, group_id: int):
"""Affecte l'étudiant au groupe indiqué""" """Affecte l'étudiant au groupe indiqué"""
@ -189,6 +189,8 @@ def set_etud_group(etudid: int, group_id: int):
group = query.first_or_404() group = query.first_or_404()
if not group.partition.formsemestre.etat: if not group.partition.formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not group.partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée")
if etud.id not in {e.id for e in group.partition.formsemestre.etuds}: if etud.id not in {e.id for e in group.partition.formsemestre.etuds}:
return json_error(404, "etud non inscrit au formsemestre du groupe") return json_error(404, "etud non inscrit au formsemestre du groupe")
@ -207,7 +209,7 @@ def set_etud_group(etudid: int, group_id: int):
) )
@login_required @login_required
@scodoc @scodoc
@permission_required(Permission.ScoEtudChangeGroups) @permission_required(Permission.ScoView)
@as_json @as_json
def group_remove_etud(group_id: int, etudid: int): def group_remove_etud(group_id: int, etudid: int):
"""Retire l'étudiant de ce groupe. S'il n'y est pas, ne fait rien.""" """Retire l'étudiant de ce groupe. S'il n'y est pas, ne fait rien."""
@ -220,6 +222,8 @@ def group_remove_etud(group_id: int, etudid: int):
group = query.first_or_404() group = query.first_or_404()
if not group.partition.formsemestre.etat: if not group.partition.formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not group.partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée")
group.remove_etud(etud) group.remove_etud(etud)
@ -234,7 +238,7 @@ def group_remove_etud(group_id: int, etudid: int):
) )
@login_required @login_required
@scodoc @scodoc
@permission_required(Permission.ScoEtudChangeGroups) @permission_required(Permission.ScoView)
@as_json @as_json
def partition_remove_etud(partition_id: int, etudid: int): def partition_remove_etud(partition_id: int, etudid: int):
"""Enlève l'étudiant de tous les groupes de cette partition """Enlève l'étudiant de tous les groupes de cette partition
@ -247,7 +251,8 @@ def partition_remove_etud(partition_id: int, etudid: int):
partition = query.first_or_404() partition = query.first_or_404()
if not partition.formsemestre.etat: if not partition.formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée")
db.session.execute( db.session.execute(
sa.text( sa.text(
"""DELETE FROM group_membership """DELETE FROM group_membership
@ -278,7 +283,7 @@ def partition_remove_etud(partition_id: int, etudid: int):
@api_web_bp.route("/partition/<int:partition_id>/group/create", methods=["POST"]) @api_web_bp.route("/partition/<int:partition_id>/group/create", methods=["POST"])
@login_required @login_required
@scodoc @scodoc
@permission_required(Permission.ScoEtudChangeGroups) @permission_required(Permission.ScoView)
@as_json @as_json
def group_create(partition_id: int): # partition-group-create def group_create(partition_id: int): # partition-group-create
"""Création d'un groupe dans une partition """Création d'un groupe dans une partition
@ -296,6 +301,8 @@ def group_create(partition_id: int): # partition-group-create
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not partition.groups_editable: if not partition.groups_editable:
return json_error(403, "partition non editable") return json_error(403, "partition non editable")
if not partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée")
data = request.get_json(force=True) # may raise 400 Bad Request data = request.get_json(force=True) # may raise 400 Bad Request
group_name = data.get("group_name") group_name = data.get("group_name")
if group_name is None: if group_name is None:
@ -317,7 +324,7 @@ def group_create(partition_id: int): # partition-group-create
@api_web_bp.route("/group/<int:group_id>/delete", methods=["POST"]) @api_web_bp.route("/group/<int:group_id>/delete", methods=["POST"])
@login_required @login_required
@scodoc @scodoc
@permission_required(Permission.ScoEtudChangeGroups) @permission_required(Permission.ScoView)
@as_json @as_json
def group_delete(group_id: int): def group_delete(group_id: int):
"""Suppression d'un groupe""" """Suppression d'un groupe"""
@ -331,6 +338,8 @@ def group_delete(group_id: int):
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not group.partition.groups_editable: if not group.partition.groups_editable:
return json_error(403, "partition non editable") return json_error(403, "partition non editable")
if not group.partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée")
formsemestre_id = group.partition.formsemestre_id formsemestre_id = group.partition.formsemestre_id
log(f"deleting {group}") log(f"deleting {group}")
db.session.delete(group) db.session.delete(group)
@ -344,7 +353,7 @@ def group_delete(group_id: int):
@api_web_bp.route("/group/<int:group_id>/edit", methods=["POST"]) @api_web_bp.route("/group/<int:group_id>/edit", methods=["POST"])
@login_required @login_required
@scodoc @scodoc
@permission_required(Permission.ScoEtudChangeGroups) @permission_required(Permission.ScoView)
@as_json @as_json
def group_edit(group_id: int): def group_edit(group_id: int):
"""Edit a group""" """Edit a group"""
@ -358,6 +367,8 @@ def group_edit(group_id: int):
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not group.partition.groups_editable: if not group.partition.groups_editable:
return json_error(403, "partition non editable") return json_error(403, "partition non editable")
if not group.partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée")
data = request.get_json(force=True) # may raise 400 Bad Request data = request.get_json(force=True) # may raise 400 Bad Request
group_name = data.get("group_name") group_name = data.get("group_name")
if group_name is not None: if group_name is not None:
@ -379,7 +390,7 @@ def group_edit(group_id: int):
) )
@login_required @login_required
@scodoc @scodoc
@permission_required(Permission.ScoEtudChangeGroups) @permission_required(Permission.ScoView)
@as_json @as_json
def partition_create(formsemestre_id: int): def partition_create(formsemestre_id: int):
"""Création d'une partition dans un semestre """Création d'une partition dans un semestre
@ -399,6 +410,8 @@ def partition_create(formsemestre_id: int):
formsemestre: FormSemestre = query.first_or_404(formsemestre_id) formsemestre: FormSemestre = query.first_or_404(formsemestre_id)
if not formsemestre.etat: if not formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not formsemestre.can_change_groups():
return json_error(401, "opération non autorisée")
data = request.get_json(force=True) # may raise 400 Bad Request data = request.get_json(force=True) # may raise 400 Bad Request
partition_name = data.get("partition_name") partition_name = data.get("partition_name")
if partition_name is None: if partition_name is None:
@ -442,7 +455,7 @@ def partition_create(formsemestre_id: int):
) )
@login_required @login_required
@scodoc @scodoc
@permission_required(Permission.ScoEtudChangeGroups) @permission_required(Permission.ScoView)
@as_json @as_json
def formsemestre_order_partitions(formsemestre_id: int): def formsemestre_order_partitions(formsemestre_id: int):
"""Modifie l'ordre des partitions du formsemestre """Modifie l'ordre des partitions du formsemestre
@ -454,6 +467,8 @@ def formsemestre_order_partitions(formsemestre_id: int):
formsemestre: FormSemestre = query.first_or_404(formsemestre_id) formsemestre: FormSemestre = query.first_or_404(formsemestre_id)
if not formsemestre.etat: if not formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not formsemestre.can_change_groups():
return json_error(401, "opération non autorisée")
partition_ids = request.get_json(force=True) # may raise 400 Bad Request partition_ids = request.get_json(force=True) # may raise 400 Bad Request
if not isinstance(partition_ids, int) and not all( if not isinstance(partition_ids, int) and not all(
isinstance(x, int) for x in partition_ids isinstance(x, int) for x in partition_ids
@ -480,7 +495,7 @@ def formsemestre_order_partitions(formsemestre_id: int):
@api_web_bp.route("/partition/<int:partition_id>/groups/order", methods=["POST"]) @api_web_bp.route("/partition/<int:partition_id>/groups/order", methods=["POST"])
@login_required @login_required
@scodoc @scodoc
@permission_required(Permission.ScoEtudChangeGroups) @permission_required(Permission.ScoView)
@as_json @as_json
def partition_order_groups(partition_id: int): def partition_order_groups(partition_id: int):
"""Modifie l'ordre des groupes de la partition """Modifie l'ordre des groupes de la partition
@ -492,6 +507,8 @@ def partition_order_groups(partition_id: int):
partition: Partition = query.first_or_404() partition: Partition = query.first_or_404()
if not partition.formsemestre.etat: if not partition.formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée")
group_ids = request.get_json(force=True) # may raise 400 Bad Request group_ids = request.get_json(force=True) # may raise 400 Bad Request
if not isinstance(group_ids, int) and not all( if not isinstance(group_ids, int) and not all(
isinstance(x, int) for x in group_ids isinstance(x, int) for x in group_ids
@ -515,7 +532,7 @@ def partition_order_groups(partition_id: int):
@api_web_bp.route("/partition/<int:partition_id>/edit", methods=["POST"]) @api_web_bp.route("/partition/<int:partition_id>/edit", methods=["POST"])
@login_required @login_required
@scodoc @scodoc
@permission_required(Permission.ScoEtudChangeGroups) @permission_required(Permission.ScoView)
@as_json @as_json
def partition_edit(partition_id: int): def partition_edit(partition_id: int):
"""Modification d'une partition dans un semestre """Modification d'une partition dans un semestre
@ -536,6 +553,8 @@ def partition_edit(partition_id: int):
partition: Partition = query.first_or_404() partition: Partition = query.first_or_404()
if not partition.formsemestre.etat: if not partition.formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée")
data = request.get_json(force=True) # may raise 400 Bad Request data = request.get_json(force=True) # may raise 400 Bad Request
modified = False modified = False
partition_name = data.get("partition_name") partition_name = data.get("partition_name")
@ -585,7 +604,7 @@ def partition_edit(partition_id: int):
@api_web_bp.route("/partition/<int:partition_id>/delete", methods=["POST"]) @api_web_bp.route("/partition/<int:partition_id>/delete", methods=["POST"])
@login_required @login_required
@scodoc @scodoc
@permission_required(Permission.ScoEtudChangeGroups) @permission_required(Permission.ScoView)
@as_json @as_json
def partition_delete(partition_id: int): def partition_delete(partition_id: int):
"""Suppression d'une partition (et de tous ses groupes). """Suppression d'une partition (et de tous ses groupes).
@ -601,6 +620,8 @@ def partition_delete(partition_id: int):
partition: Partition = query.first_or_404() partition: Partition = query.first_or_404()
if not partition.formsemestre.etat: if not partition.formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée")
if not partition.partition_name: if not partition.partition_name:
return json_error( return json_error(
API_CLIENT_ERROR, "ne peut pas supprimer la partition par défaut" API_CLIENT_ERROR, "ne peut pas supprimer la partition par défaut"