Use rules and differentiate between course details and course in general

508b0d23 · Hangzhi Yu · 6cccf2aa · 508b0d23 · 508b0d23
Commit 508b0d23 authored 9 months ago by Hangzhi Yu
--- a/aleksis/apps/cursus/rules.py
+++ b/aleksis/apps/cursus/rules.py
@@ -15,9 +15,7 @@ view_subjects_predicate = has_person & (
 )
 add_perm("cursus.view_subjects_rule", view_subjects_predicate)

-view_subject_predicate = has_person & (
-    has_global_perm("cursus.view_subject") | has_object_perm("cursus.view_subject")
-)
+view_subject_predicate = has_person
 add_perm("cursus.view_subject_rule", view_subject_predicate)

 create_subject_predicate = has_person & has_global_perm("cursus.add_subject")
@@ -38,12 +36,15 @@ view_courses_predicate = has_person & (
 )
 add_perm("cursus.view_courses_rule", view_courses_predicate)

-view_course_predicate = has_person & (
+view_course_predicate = has_person
+add_perm("cursus.view_course_rule", view_course_predicate)
+
+view_course_details_predicate = has_person & (
    is_course_teacher
    | has_global_perm("cursus.view_course")
    | has_object_perm("cursus.view_course")
 )
-add_perm("cursus.view_course_rule", view_course_predicate)
+add_perm("cursus.view_course_details_rule", view_course_details_predicate)

 create_course_predicate = has_person & has_global_perm("cursus.add_course")
 add_perm("cursus.create_course_rule", create_course_predicate)

--- a/aleksis/apps/cursus/schema.py
+++ b/aleksis/apps/cursus/schema.py
@@ -56,12 +56,9 @@ class SubjectType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):

    @classmethod
    def get_queryset(cls, queryset, info):
-        # FIXME: Permissions... this is just a workaround,
-        # because cursus.view_subject would have to be assigned manually
-        if not has_person(info.context.user):
+        if not info.context.user.has_perm("cursus.view_subject_rule"):
            raise PermissionDenied()
        return queryset
-        # return get_objects_for_user(info.context.user, "cursus.view_subject", Subject)

    @staticmethod
    def resolve_courses(root, info, **kwargs):
@@ -132,6 +129,8 @@ class CourseType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):

    @staticmethod
    def resolve_teachers(root, info, **kwargs):
+        if not info.context.user.has_perm("cursus.view_course_details_rule", root):
+            raise PermissionDenied()
        teachers = get_objects_for_user(info.context.user, "core.view_person", root.teachers.all())

        # Fixme: this following code was copied from aleksis/core/schema/group.py so it should work
@@ -144,6 +143,8 @@ class CourseType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):

    @staticmethod
    def resolve_groups(root, info, **kwargs):
+        if not info.context.user.has_perm("cursus.view_course_details_rule", root):
+            raise PermissionDenied()
        by_permission = get_objects_for_user(
            info.context.user, "core.view_group", root.groups.all()
        )
@@ -156,12 +157,9 @@ class CourseType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):

    @classmethod
    def get_queryset(cls, queryset, info):
-        # FIXME: Permissions... this is just a workaround,
-        # because cursus.view_course would have to be assigned manually
-        if not has_person(info.context.user):
+        if not info.context.user.has_perm("cursus.view_course_rule"):
            raise PermissionDenied()
        return queryset
-        # return get_objects_for_user(info.context.user, "cursus.view_course", Course)


 class CourseBatchCreateMutation(DjangoBatchCreateMutation):