From 8135038edbd491e49f4382fc2684d716c4d2039f Mon Sep 17 00:00:00 2001
From: Emmanuel Viennet <emmanuel.viennet@gmail.com>
Date: Tue, 5 Nov 2024 09:19:27 +0100
Subject: [PATCH] =?UTF-8?q?Restreint=20acc=C3=A8s=20aux=20saisies=20de=20n?=
 =?UTF-8?q?otes=20(admin=20et=20self)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/api/operations.py                  |  3 ++
 app/scodoc/sco_etud.py                 |  3 --
 app/templates/user_board/user_board.j2 | 46 ++++++++++++++------------
 sco_version.py                         |  2 +-
 4 files changed, 28 insertions(+), 26 deletions(-)

diff --git a/app/api/operations.py b/app/api/operations.py
index 51ba5c618..e8d87af90 100644
--- a/app/api/operations.py
+++ b/app/api/operations.py
@@ -48,6 +48,9 @@ def operations_user_notes(uid: int):
     -----
     uid: l'id de l'utilisateur
     """
+    # --- Permission: restreint au superadmin ou à l'utilisateur lui-même
+    if not app.current_user.is_administrator() and app.current_user.id != uid:
+        return {"error": "Permission denied"}, 403
     start = int(app.request.args.get("start", 0))
     length = min(int(app.request.args.get("length", 10)), MAX_QUERY_LENGTH)
     order = app.request.args.get("order[dir]", "desc")
diff --git a/app/scodoc/sco_etud.py b/app/scodoc/sco_etud.py
index fde983703..f74c3c421 100644
--- a/app/scodoc/sco_etud.py
+++ b/app/scodoc/sco_etud.py
@@ -137,9 +137,6 @@ _identiteEditor = ndb.EditableTable(
     (
         "admission_id",
         "boursier",
-        "cas_allow_login",
-        "cas_allow_scodoc_login",
-        "cas_id",
         "civilite_etat_civil",
         "civilite",  # 'M", "F", or "X"
         "code_ine",
diff --git a/app/templates/user_board/user_board.j2 b/app/templates/user_board/user_board.j2
index 2832f9518..ca256a878 100644
--- a/app/templates/user_board/user_board.j2
+++ b/app/templates/user_board/user_board.j2
@@ -115,31 +115,33 @@ div.scobox.saisies-notes {
         </div>
     {% endfor %}
 
-
-    <div class="scobox saisies-notes">
-      <div class="scobox-title">
-        Dernières saisies de notes par {{user.get_prenomnom()}}
-      </div>
-      <table id="saisies-notes" class="display" style="width:100%">
-          <thead>
-              <tr>
-                  <th>Date</th>
-                  <th>Évaluation</th>
-                  <th>Étudiant</th>
-                  <th>Note</th>
-              </tr>
-          </thead>
-          <tbody>
-              <!-- Data will be loaded dynamically via JavaScript -->
-          </tbody>
-      </table>
+  <div class="scobox saisies-notes">
+  {% if current_user.is_administrator() or current_user.id == user.id %}
+    <div class="scobox-title">
+      Dernières saisies de notes par {{user.get_prenomnom()}}
+    </div>
+    <table id="saisies-notes" class="display" style="width:100%">
+        <thead>
+            <tr>
+                <th>Date</th>
+                <th>Évaluation</th>
+                <th>Étudiant</th>
+                <th>Note</th>
+            </tr>
+        </thead>
+        <tbody>
+            <!-- Data will be loaded dynamically via JavaScript -->
+        </tbody>
+    </table>
+  {% else %}
+    <div class="help">
+      Vous n'avez pas les droits pour voir les notes de cet utilisateur.
+    </div>
+  {% endif %}
+  </div>
 </div>
 
 
-</div>
-
-
-
 {% endblock app_content %}
 
 
diff --git a/sco_version.py b/sco_version.py
index 2e58c9f14..8110b6d01 100644
--- a/sco_version.py
+++ b/sco_version.py
@@ -3,7 +3,7 @@
 
 "Infos sur version ScoDoc"
 
-SCOVERSION = "9.7.38"
+SCOVERSION = "9.7.39"
 
 SCONAME = "ScoDoc"