From 6cccf2aae36c6a0f8c781231213a8b2b7832d88e Mon Sep 17 00:00:00 2001
From: Hangzhi Yu <hangzhi@protonmail.com>
Date: Tue, 21 May 2024 14:10:37 +0200
Subject: [PATCH 1/2] Workaround for SubjectType permission-based filtering

---
 aleksis/apps/cursus/schema.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/aleksis/apps/cursus/schema.py b/aleksis/apps/cursus/schema.py
index 711ddd0..cbc818e 100644
--- a/aleksis/apps/cursus/schema.py
+++ b/aleksis/apps/cursus/schema.py
@@ -56,7 +56,12 @@ class SubjectType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):
 
     @classmethod
     def get_queryset(cls, queryset, info):
-        return get_objects_for_user(info.context.user, "cursus.view_subject", Subject)
+        # FIXME: Permissions... this is just a workaround,
+        # because cursus.view_subject would have to be assigned manually
+        if not has_person(info.context.user):
+            raise PermissionDenied()
+        return queryset
+        # return get_objects_for_user(info.context.user, "cursus.view_subject", Subject)
 
     @staticmethod
     def resolve_courses(root, info, **kwargs):
-- 
GitLab


From 508b0d23b6949080ba17419e2f52303e57caba16 Mon Sep 17 00:00:00 2001
From: Hangzhi Yu <hangzhi@protonmail.com>
Date: Fri, 31 May 2024 13:54:25 +0200
Subject: [PATCH 2/2] Use rules and differentiate between course details and
 course in general

---
 aleksis/apps/cursus/rules.py  | 11 ++++++-----
 aleksis/apps/cursus/schema.py | 14 ++++++--------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/aleksis/apps/cursus/rules.py b/aleksis/apps/cursus/rules.py
index 45d71df..5944379 100644
--- a/aleksis/apps/cursus/rules.py
+++ b/aleksis/apps/cursus/rules.py
@@ -15,9 +15,7 @@ view_subjects_predicate = has_person & (
 )
 add_perm("cursus.view_subjects_rule", view_subjects_predicate)
 
-view_subject_predicate = has_person & (
-    has_global_perm("cursus.view_subject") | has_object_perm("cursus.view_subject")
-)
+view_subject_predicate = has_person
 add_perm("cursus.view_subject_rule", view_subject_predicate)
 
 create_subject_predicate = has_person & has_global_perm("cursus.add_subject")
@@ -38,12 +36,15 @@ view_courses_predicate = has_person & (
 )
 add_perm("cursus.view_courses_rule", view_courses_predicate)
 
-view_course_predicate = has_person & (
+view_course_predicate = has_person
+add_perm("cursus.view_course_rule", view_course_predicate)
+
+view_course_details_predicate = has_person & (
     is_course_teacher
     | has_global_perm("cursus.view_course")
     | has_object_perm("cursus.view_course")
 )
-add_perm("cursus.view_course_rule", view_course_predicate)
+add_perm("cursus.view_course_details_rule", view_course_details_predicate)
 
 create_course_predicate = has_person & has_global_perm("cursus.add_course")
 add_perm("cursus.create_course_rule", create_course_predicate)
diff --git a/aleksis/apps/cursus/schema.py b/aleksis/apps/cursus/schema.py
index cbc818e..193ae4c 100644
--- a/aleksis/apps/cursus/schema.py
+++ b/aleksis/apps/cursus/schema.py
@@ -56,12 +56,9 @@ class SubjectType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):
 
     @classmethod
     def get_queryset(cls, queryset, info):
-        # FIXME: Permissions... this is just a workaround,
-        # because cursus.view_subject would have to be assigned manually
-        if not has_person(info.context.user):
+        if not info.context.user.has_perm("cursus.view_subject_rule"):
             raise PermissionDenied()
         return queryset
-        # return get_objects_for_user(info.context.user, "cursus.view_subject", Subject)
 
     @staticmethod
     def resolve_courses(root, info, **kwargs):
@@ -132,6 +129,8 @@ class CourseType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):
 
     @staticmethod
     def resolve_teachers(root, info, **kwargs):
+        if not info.context.user.has_perm("cursus.view_course_details_rule", root):
+            raise PermissionDenied()
         teachers = get_objects_for_user(info.context.user, "core.view_person", root.teachers.all())
 
         # Fixme: this following code was copied from aleksis/core/schema/group.py so it should work
@@ -144,6 +143,8 @@ class CourseType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):
 
     @staticmethod
     def resolve_groups(root, info, **kwargs):
+        if not info.context.user.has_perm("cursus.view_course_details_rule", root):
+            raise PermissionDenied()
         by_permission = get_objects_for_user(
             info.context.user, "core.view_group", root.groups.all()
         )
@@ -156,12 +157,9 @@ class CourseType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):
 
     @classmethod
     def get_queryset(cls, queryset, info):
-        # FIXME: Permissions... this is just a workaround,
-        # because cursus.view_course would have to be assigned manually
-        if not has_person(info.context.user):
+        if not info.context.user.has_perm("cursus.view_course_rule"):
             raise PermissionDenied()
         return queryset
-        # return get_objects_for_user(info.context.user, "cursus.view_course", Course)
 
 
 class CourseBatchCreateMutation(DjangoBatchCreateMutation):
-- 
GitLab