From b13d4df370f28af927a4881e5204efc6c415806d Mon Sep 17 00:00:00 2001 From: Emmanuel Viennet Date: Sat, 2 Sep 2023 23:12:41 +0200 Subject: [PATCH] Corrige permissions API partition/groupes. Fixes #704 --- app/api/partitions.py | 45 +++++++++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 12 deletions(-) diff --git a/app/api/partitions.py b/app/api/partitions.py index 207fa9ec45..64ed136cc7 100644 --- a/app/api/partitions.py +++ b/app/api/partitions.py @@ -176,7 +176,7 @@ def etud_in_group_query(group_id: int): @api_web_bp.route("/group//set_etudiant/", methods=["POST"]) @login_required @scodoc -@permission_required(Permission.ScoEtudChangeGroups) +@permission_required(Permission.ScoView) @as_json def set_etud_group(etudid: int, group_id: int): """Affecte l'étudiant au groupe indiqué""" @@ -189,6 +189,8 @@ def set_etud_group(etudid: int, group_id: int): group = query.first_or_404() if not group.partition.formsemestre.etat: return json_error(403, "formsemestre verrouillé") + if not group.partition.formsemestre.can_change_groups(): + return json_error(401, "opération non autorisée") if etud.id not in {e.id for e in group.partition.formsemestre.etuds}: return json_error(404, "etud non inscrit au formsemestre du groupe") @@ -207,7 +209,7 @@ def set_etud_group(etudid: int, group_id: int): ) @login_required @scodoc -@permission_required(Permission.ScoEtudChangeGroups) +@permission_required(Permission.ScoView) @as_json def group_remove_etud(group_id: int, etudid: int): """Retire l'étudiant de ce groupe. S'il n'y est pas, ne fait rien.""" @@ -220,6 +222,8 @@ def group_remove_etud(group_id: int, etudid: int): group = query.first_or_404() if not group.partition.formsemestre.etat: return json_error(403, "formsemestre verrouillé") + if not group.partition.formsemestre.can_change_groups(): + return json_error(401, "opération non autorisée") group.remove_etud(etud) @@ -234,7 +238,7 @@ def group_remove_etud(group_id: int, etudid: int): ) @login_required @scodoc -@permission_required(Permission.ScoEtudChangeGroups) +@permission_required(Permission.ScoView) @as_json def partition_remove_etud(partition_id: int, etudid: int): """Enlève l'étudiant de tous les groupes de cette partition @@ -247,7 +251,8 @@ def partition_remove_etud(partition_id: int, etudid: int): partition = query.first_or_404() if not partition.formsemestre.etat: return json_error(403, "formsemestre verrouillé") - + if not partition.formsemestre.can_change_groups(): + return json_error(401, "opération non autorisée") db.session.execute( sa.text( """DELETE FROM group_membership @@ -278,7 +283,7 @@ def partition_remove_etud(partition_id: int, etudid: int): @api_web_bp.route("/partition//group/create", methods=["POST"]) @login_required @scodoc -@permission_required(Permission.ScoEtudChangeGroups) +@permission_required(Permission.ScoView) @as_json def group_create(partition_id: int): # partition-group-create """Création d'un groupe dans une partition @@ -296,6 +301,8 @@ def group_create(partition_id: int): # partition-group-create return json_error(403, "formsemestre verrouillé") if not partition.groups_editable: return json_error(403, "partition non editable") + if not partition.formsemestre.can_change_groups(): + return json_error(401, "opération non autorisée") data = request.get_json(force=True) # may raise 400 Bad Request group_name = data.get("group_name") if group_name is None: @@ -317,7 +324,7 @@ def group_create(partition_id: int): # partition-group-create @api_web_bp.route("/group//delete", methods=["POST"]) @login_required @scodoc -@permission_required(Permission.ScoEtudChangeGroups) +@permission_required(Permission.ScoView) @as_json def group_delete(group_id: int): """Suppression d'un groupe""" @@ -331,6 +338,8 @@ def group_delete(group_id: int): return json_error(403, "formsemestre verrouillé") if not group.partition.groups_editable: return json_error(403, "partition non editable") + if not group.partition.formsemestre.can_change_groups(): + return json_error(401, "opération non autorisée") formsemestre_id = group.partition.formsemestre_id log(f"deleting {group}") db.session.delete(group) @@ -344,7 +353,7 @@ def group_delete(group_id: int): @api_web_bp.route("/group//edit", methods=["POST"]) @login_required @scodoc -@permission_required(Permission.ScoEtudChangeGroups) +@permission_required(Permission.ScoView) @as_json def group_edit(group_id: int): """Edit a group""" @@ -358,6 +367,8 @@ def group_edit(group_id: int): return json_error(403, "formsemestre verrouillé") if not group.partition.groups_editable: return json_error(403, "partition non editable") + if not group.partition.formsemestre.can_change_groups(): + return json_error(401, "opération non autorisée") data = request.get_json(force=True) # may raise 400 Bad Request group_name = data.get("group_name") if group_name is not None: @@ -379,7 +390,7 @@ def group_edit(group_id: int): ) @login_required @scodoc -@permission_required(Permission.ScoEtudChangeGroups) +@permission_required(Permission.ScoView) @as_json def partition_create(formsemestre_id: int): """Création d'une partition dans un semestre @@ -399,6 +410,8 @@ def partition_create(formsemestre_id: int): formsemestre: FormSemestre = query.first_or_404(formsemestre_id) if not formsemestre.etat: return json_error(403, "formsemestre verrouillé") + if not formsemestre.can_change_groups(): + return json_error(401, "opération non autorisée") data = request.get_json(force=True) # may raise 400 Bad Request partition_name = data.get("partition_name") if partition_name is None: @@ -442,7 +455,7 @@ def partition_create(formsemestre_id: int): ) @login_required @scodoc -@permission_required(Permission.ScoEtudChangeGroups) +@permission_required(Permission.ScoView) @as_json def formsemestre_order_partitions(formsemestre_id: int): """Modifie l'ordre des partitions du formsemestre @@ -454,6 +467,8 @@ def formsemestre_order_partitions(formsemestre_id: int): formsemestre: FormSemestre = query.first_or_404(formsemestre_id) if not formsemestre.etat: return json_error(403, "formsemestre verrouillé") + if not formsemestre.can_change_groups(): + return json_error(401, "opération non autorisée") partition_ids = request.get_json(force=True) # may raise 400 Bad Request if not isinstance(partition_ids, int) and not all( isinstance(x, int) for x in partition_ids @@ -480,7 +495,7 @@ def formsemestre_order_partitions(formsemestre_id: int): @api_web_bp.route("/partition//groups/order", methods=["POST"]) @login_required @scodoc -@permission_required(Permission.ScoEtudChangeGroups) +@permission_required(Permission.ScoView) @as_json def partition_order_groups(partition_id: int): """Modifie l'ordre des groupes de la partition @@ -492,6 +507,8 @@ def partition_order_groups(partition_id: int): partition: Partition = query.first_or_404() if not partition.formsemestre.etat: return json_error(403, "formsemestre verrouillé") + if not partition.formsemestre.can_change_groups(): + return json_error(401, "opération non autorisée") group_ids = request.get_json(force=True) # may raise 400 Bad Request if not isinstance(group_ids, int) and not all( isinstance(x, int) for x in group_ids @@ -515,7 +532,7 @@ def partition_order_groups(partition_id: int): @api_web_bp.route("/partition//edit", methods=["POST"]) @login_required @scodoc -@permission_required(Permission.ScoEtudChangeGroups) +@permission_required(Permission.ScoView) @as_json def partition_edit(partition_id: int): """Modification d'une partition dans un semestre @@ -536,6 +553,8 @@ def partition_edit(partition_id: int): partition: Partition = query.first_or_404() if not partition.formsemestre.etat: return json_error(403, "formsemestre verrouillé") + if not partition.formsemestre.can_change_groups(): + return json_error(401, "opération non autorisée") data = request.get_json(force=True) # may raise 400 Bad Request modified = False partition_name = data.get("partition_name") @@ -585,7 +604,7 @@ def partition_edit(partition_id: int): @api_web_bp.route("/partition//delete", methods=["POST"]) @login_required @scodoc -@permission_required(Permission.ScoEtudChangeGroups) +@permission_required(Permission.ScoView) @as_json def partition_delete(partition_id: int): """Suppression d'une partition (et de tous ses groupes). @@ -601,6 +620,8 @@ def partition_delete(partition_id: int): partition: Partition = query.first_or_404() if not partition.formsemestre.etat: return json_error(403, "formsemestre verrouillé") + if not partition.formsemestre.can_change_groups(): + return json_error(401, "opération non autorisée") if not partition.partition_name: return json_error( API_CLIENT_ERROR, "ne peut pas supprimer la partition par défaut"