From b13d4df370f28af927a4881e5204efc6c415806d Mon Sep 17 00:00:00 2001
From: Emmanuel Viennet <emmanuel.viennet@gmail.com>
Date: Sat, 2 Sep 2023 23:12:41 +0200
Subject: [PATCH] Corrige permissions API partition/groupes. Fixes #704

---
 app/api/partitions.py | 45 +++++++++++++++++++++++++++++++------------
 1 file changed, 33 insertions(+), 12 deletions(-)

diff --git a/app/api/partitions.py b/app/api/partitions.py
index 207fa9ec..64ed136c 100644
--- a/app/api/partitions.py
+++ b/app/api/partitions.py
@@ -176,7 +176,7 @@ def etud_in_group_query(group_id: int):
 @api_web_bp.route("/group/<int:group_id>/set_etudiant/<int:etudid>", methods=["POST"])
 @login_required
 @scodoc
-@permission_required(Permission.ScoEtudChangeGroups)
+@permission_required(Permission.ScoView)
 @as_json
 def set_etud_group(etudid: int, group_id: int):
     """Affecte l'étudiant au groupe indiqué"""
@@ -189,6 +189,8 @@ def set_etud_group(etudid: int, group_id: int):
     group = query.first_or_404()
     if not group.partition.formsemestre.etat:
         return json_error(403, "formsemestre verrouillé")
+    if not group.partition.formsemestre.can_change_groups():
+        return json_error(401, "opération non autorisée")
     if etud.id not in {e.id for e in group.partition.formsemestre.etuds}:
         return json_error(404, "etud non inscrit au formsemestre du groupe")
 
@@ -207,7 +209,7 @@ def set_etud_group(etudid: int, group_id: int):
 )
 @login_required
 @scodoc
-@permission_required(Permission.ScoEtudChangeGroups)
+@permission_required(Permission.ScoView)
 @as_json
 def group_remove_etud(group_id: int, etudid: int):
     """Retire l'étudiant de ce groupe. S'il n'y est pas, ne fait rien."""
@@ -220,6 +222,8 @@ def group_remove_etud(group_id: int, etudid: int):
     group = query.first_or_404()
     if not group.partition.formsemestre.etat:
         return json_error(403, "formsemestre verrouillé")
+    if not group.partition.formsemestre.can_change_groups():
+        return json_error(401, "opération non autorisée")
 
     group.remove_etud(etud)
 
@@ -234,7 +238,7 @@ def group_remove_etud(group_id: int, etudid: int):
 )
 @login_required
 @scodoc
-@permission_required(Permission.ScoEtudChangeGroups)
+@permission_required(Permission.ScoView)
 @as_json
 def partition_remove_etud(partition_id: int, etudid: int):
     """Enlève l'étudiant de tous les groupes de cette partition
@@ -247,7 +251,8 @@ def partition_remove_etud(partition_id: int, etudid: int):
     partition = query.first_or_404()
     if not partition.formsemestre.etat:
         return json_error(403, "formsemestre verrouillé")
-
+    if not partition.formsemestre.can_change_groups():
+        return json_error(401, "opération non autorisée")
     db.session.execute(
         sa.text(
             """DELETE FROM group_membership
@@ -278,7 +283,7 @@ def partition_remove_etud(partition_id: int, etudid: int):
 @api_web_bp.route("/partition/<int:partition_id>/group/create", methods=["POST"])
 @login_required
 @scodoc
-@permission_required(Permission.ScoEtudChangeGroups)
+@permission_required(Permission.ScoView)
 @as_json
 def group_create(partition_id: int):  # partition-group-create
     """Création d'un groupe dans une partition
@@ -296,6 +301,8 @@ def group_create(partition_id: int):  # partition-group-create
         return json_error(403, "formsemestre verrouillé")
     if not partition.groups_editable:
         return json_error(403, "partition non editable")
+    if not partition.formsemestre.can_change_groups():
+        return json_error(401, "opération non autorisée")
     data = request.get_json(force=True)  # may raise 400 Bad Request
     group_name = data.get("group_name")
     if group_name is None:
@@ -317,7 +324,7 @@ def group_create(partition_id: int):  # partition-group-create
 @api_web_bp.route("/group/<int:group_id>/delete", methods=["POST"])
 @login_required
 @scodoc
-@permission_required(Permission.ScoEtudChangeGroups)
+@permission_required(Permission.ScoView)
 @as_json
 def group_delete(group_id: int):
     """Suppression d'un groupe"""
@@ -331,6 +338,8 @@ def group_delete(group_id: int):
         return json_error(403, "formsemestre verrouillé")
     if not group.partition.groups_editable:
         return json_error(403, "partition non editable")
+    if not group.partition.formsemestre.can_change_groups():
+        return json_error(401, "opération non autorisée")
     formsemestre_id = group.partition.formsemestre_id
     log(f"deleting {group}")
     db.session.delete(group)
@@ -344,7 +353,7 @@ def group_delete(group_id: int):
 @api_web_bp.route("/group/<int:group_id>/edit", methods=["POST"])
 @login_required
 @scodoc
-@permission_required(Permission.ScoEtudChangeGroups)
+@permission_required(Permission.ScoView)
 @as_json
 def group_edit(group_id: int):
     """Edit a group"""
@@ -358,6 +367,8 @@ def group_edit(group_id: int):
         return json_error(403, "formsemestre verrouillé")
     if not group.partition.groups_editable:
         return json_error(403, "partition non editable")
+    if not group.partition.formsemestre.can_change_groups():
+        return json_error(401, "opération non autorisée")
     data = request.get_json(force=True)  # may raise 400 Bad Request
     group_name = data.get("group_name")
     if group_name is not None:
@@ -379,7 +390,7 @@ def group_edit(group_id: int):
 )
 @login_required
 @scodoc
-@permission_required(Permission.ScoEtudChangeGroups)
+@permission_required(Permission.ScoView)
 @as_json
 def partition_create(formsemestre_id: int):
     """Création d'une partition dans un semestre
@@ -399,6 +410,8 @@ def partition_create(formsemestre_id: int):
     formsemestre: FormSemestre = query.first_or_404(formsemestre_id)
     if not formsemestre.etat:
         return json_error(403, "formsemestre verrouillé")
+    if not formsemestre.can_change_groups():
+        return json_error(401, "opération non autorisée")
     data = request.get_json(force=True)  # may raise 400 Bad Request
     partition_name = data.get("partition_name")
     if partition_name is None:
@@ -442,7 +455,7 @@ def partition_create(formsemestre_id: int):
 )
 @login_required
 @scodoc
-@permission_required(Permission.ScoEtudChangeGroups)
+@permission_required(Permission.ScoView)
 @as_json
 def formsemestre_order_partitions(formsemestre_id: int):
     """Modifie l'ordre des partitions du formsemestre
@@ -454,6 +467,8 @@ def formsemestre_order_partitions(formsemestre_id: int):
     formsemestre: FormSemestre = query.first_or_404(formsemestre_id)
     if not formsemestre.etat:
         return json_error(403, "formsemestre verrouillé")
+    if not formsemestre.can_change_groups():
+        return json_error(401, "opération non autorisée")
     partition_ids = request.get_json(force=True)  # may raise 400 Bad Request
     if not isinstance(partition_ids, int) and not all(
         isinstance(x, int) for x in partition_ids
@@ -480,7 +495,7 @@ def formsemestre_order_partitions(formsemestre_id: int):
 @api_web_bp.route("/partition/<int:partition_id>/groups/order", methods=["POST"])
 @login_required
 @scodoc
-@permission_required(Permission.ScoEtudChangeGroups)
+@permission_required(Permission.ScoView)
 @as_json
 def partition_order_groups(partition_id: int):
     """Modifie l'ordre des groupes de la partition
@@ -492,6 +507,8 @@ def partition_order_groups(partition_id: int):
     partition: Partition = query.first_or_404()
     if not partition.formsemestre.etat:
         return json_error(403, "formsemestre verrouillé")
+    if not partition.formsemestre.can_change_groups():
+        return json_error(401, "opération non autorisée")
     group_ids = request.get_json(force=True)  # may raise 400 Bad Request
     if not isinstance(group_ids, int) and not all(
         isinstance(x, int) for x in group_ids
@@ -515,7 +532,7 @@ def partition_order_groups(partition_id: int):
 @api_web_bp.route("/partition/<int:partition_id>/edit", methods=["POST"])
 @login_required
 @scodoc
-@permission_required(Permission.ScoEtudChangeGroups)
+@permission_required(Permission.ScoView)
 @as_json
 def partition_edit(partition_id: int):
     """Modification d'une partition dans un semestre
@@ -536,6 +553,8 @@ def partition_edit(partition_id: int):
     partition: Partition = query.first_or_404()
     if not partition.formsemestre.etat:
         return json_error(403, "formsemestre verrouillé")
+    if not partition.formsemestre.can_change_groups():
+        return json_error(401, "opération non autorisée")
     data = request.get_json(force=True)  # may raise 400 Bad Request
     modified = False
     partition_name = data.get("partition_name")
@@ -585,7 +604,7 @@ def partition_edit(partition_id: int):
 @api_web_bp.route("/partition/<int:partition_id>/delete", methods=["POST"])
 @login_required
 @scodoc
-@permission_required(Permission.ScoEtudChangeGroups)
+@permission_required(Permission.ScoView)
 @as_json
 def partition_delete(partition_id: int):
     """Suppression d'une partition (et de tous ses groupes).
@@ -601,6 +620,8 @@ def partition_delete(partition_id: int):
     partition: Partition = query.first_or_404()
     if not partition.formsemestre.etat:
         return json_error(403, "formsemestre verrouillé")
+    if not partition.formsemestre.can_change_groups():
+        return json_error(401, "opération non autorisée")
     if not partition.partition_name:
         return json_error(
             API_CLIENT_ERROR, "ne peut pas supprimer la partition par défaut"