only student or teacher can get groups ; unlock groups

SELab-2 · May 12, 2024 · 3ed5561 · 3ed5561
1 parent ebec22c
commit 3ed5561
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 4 deletions.
diff --git a/backend/project/endpoints/projects/groups/groups.py b/backend/project/endpoints/projects/groups/groups.py
@@ -10,7 +10,7 @@
 from project.models.course import Course
 from project.models.group import Group
 from project.utils.query_agent import query_selected_from_model, insert_into_model
-from project.utils.authentication import login_required, authorize_teacher_of_project
+from project.utils.authentication import authorize_teacher_or_student_of_project, authorize_teacher_of_project
 from project import db
 
 load_dotenv()
@@ -24,8 +24,16 @@ class Groups(Resource):
     @authorize_teacher_of_project
     def patch(self, project_id, teacher_id=None):
         """
-        This function will lock all groups of the project
+        This function will set locked state of project groups, 
+        need to pass locked field in the body
         """
+        req = request.json
+        locked = req.get("locked")
+        if locked is None:
+            return {
+                "message": "Bad request: locked field is required",
+                "url": RESPONSE_URL
+            }, 400
 
         try:
             project = db.session.query(Project).filter_by(
@@ -35,7 +43,7 @@ def patch(self, project_id, teacher_id=None):
                     "message": "Project does not exist",
                     "url": RESPONSE_URL
                 }, 404
-            project.groups_locked = True
+            project.groups_locked = locked
             db.session.commit()
 
             return {
@@ -48,7 +56,7 @@ def patch(self, project_id, teacher_id=None):
                 "url": RESPONSE_URL
             }, 500
 
-    @login_required
+    @authorize_teacher_or_student_of_project
     def get(self, project_id):
         """
         Get function for /project/project_id/groups this will be the main endpoint

diff --git a/backend/project/utils/authentication.py b/backend/project/utils/authentication.py
@@ -50,6 +50,7 @@ def wrap(*args, **kwargs):
         return f(*args, **kwargs)
     return wrap
 
+
 def login_required_return_uid(f):
     """
     This function will check if the person sending a request to the API is logged in
@@ -62,6 +63,7 @@ def wrap(*args, **kwargs):
         return f(*args, **kwargs)
     return wrap
 
+
 def authorize_admin(f):
     """
     This function will check if the person sending a request to the API is logged in and an admin.
@@ -169,6 +171,27 @@ def wrap(*args, **kwargs):
     return wrap
 
 
+def authorize_teacher_or_student_of_project(f):
+    """
+    This function will check if the person sending a request to the API is logged in, 
+    and the teacher or student of the course which the project in the request belongs to.
+    Returns 403: Not Authorized if either condition is false
+    """
+    @wraps(f)
+    def wrap(*args, **kwargs):
+        auth_user_id = return_authenticated_user_id()
+        project_id = kwargs["project_id"]
+        course_id = get_course_of_project(project_id)
+
+        if (is_teacher_of_course(auth_user_id, course_id) or 
+            is_student_of_course(auth_user_id, course_id)):
+            return f(*args, **kwargs)
+
+        abort(make_response(({"message": """You are not authorized to perfom this action,
+                            you are not the teacher OR student of this project"""}, 403)))
+    return wrap
+
+
 def authorize_teacher_or_project_admin(f):
     """
     This function will check if the person sending a request to the API is logged in, 
@@ -210,6 +233,7 @@ def wrap(*args, **kwargs):
             ({"message": "You're not authorized to perform this action"}, 403)))
     return wrap
 
+
 def authorize_submissions_request(f):
     """This function will check if the person sending a request to the API is logged in,
     and either the teacher/admin of the course or the student