Restreint l'accès aux annotations via l'API à la permission ViewEtudData

2024-02-10 15:53:57 +01:00 · 2024-02-10 15:53:57 +01:00 · e989a4ffa8
commit e989a4ffa8
parent 6ae2b0eb5f
1 changed files with 7 additions and 3 deletions
--- a/app/models/etudiants.py
+++ b/app/models/etudiants.py
@ -519,7 +519,7 @@ class Identite(models.ScoDocModel):
        e.pop("departement", None)
        e["sort_key"] = self.sort_key
        e["annotations"] = [
-            annot.to_dict()
+            annot.to_dict(restrict=restrict)
            for annot in EtudAnnotation.query.filter_by(etudid=self.id).order_by(
                desc(EtudAnnotation.date)
            )
@ -1082,10 +1082,14 @@ class EtudAnnotation(db.Model):
    author = db.Column(db.Text)  # le pseudo (user_name), was zope_authenticated_user
    comment = db.Column(db.Text)

-    def to_dict(self):
-        """Représentation dictionnaire."""
+    protected_attrs = {"comment"}
+
+    def to_dict(self, restrict=False):
+        """Représentation dictionnaire. Si restrict, filtre les champs protégés (RGPD)."""
        e = dict(self.__dict__)
        e.pop("_sa_instance_state", None)
+        if restrict:
+            e = {k: v for (k, v) in e.items() if k not in self.protected_attrs}
        return e