Restreint l'accès aux annotations via l'API à la permission ViewEtudData

This commit is contained in:
Lyanis Souidi 2024-02-10 15:53:57 +01:00
parent 6ae2b0eb5f
commit e989a4ffa8

View File

@ -519,7 +519,7 @@ class Identite(models.ScoDocModel):
e.pop("departement", None) e.pop("departement", None)
e["sort_key"] = self.sort_key e["sort_key"] = self.sort_key
e["annotations"] = [ e["annotations"] = [
annot.to_dict() annot.to_dict(restrict=restrict)
for annot in EtudAnnotation.query.filter_by(etudid=self.id).order_by( for annot in EtudAnnotation.query.filter_by(etudid=self.id).order_by(
desc(EtudAnnotation.date) desc(EtudAnnotation.date)
) )
@ -1082,10 +1082,14 @@ class EtudAnnotation(db.Model):
author = db.Column(db.Text) # le pseudo (user_name), was zope_authenticated_user author = db.Column(db.Text) # le pseudo (user_name), was zope_authenticated_user
comment = db.Column(db.Text) comment = db.Column(db.Text)
def to_dict(self): protected_attrs = {"comment"}
"""Représentation dictionnaire."""
def to_dict(self, restrict=False):
"""Représentation dictionnaire. Si restrict, filtre les champs protégés (RGPD)."""
e = dict(self.__dict__) e = dict(self.__dict__)
e.pop("_sa_instance_state", None) e.pop("_sa_instance_state", None)
if restrict:
e = {k: v for (k, v) in e.items() if k not in self.protected_attrs}
return e return e