permissions non fonctionnel

2022-03-04 17:16:08 +01:00 · 2022-03-04 17:16:08 +01:00 · 47123aeb1e
commit 47123aeb1e
parent 90e292341e
10 changed files with 82 additions and 23 deletions
--- a/app/api/absences.py
+++ b/app/api/absences.py
@ -7,13 +7,16 @@ from app import models
 from app.api import bp
 from app.api.auth import token_auth
 from app.api.errors import error_response
+from app.decorators import permission_required
 from app.scodoc.sco_abs import add_absence, add_justif, annule_absence, annule_justif, list_abs_date
 from app.scodoc.sco_groups import get_group_members
+from app.scodoc.sco_permissions import Permission


@bp.route("/absences/etudid/<int:etudid>", methods=["GET"])
@bp.route("/absences/nip/<int:nip>", methods=["GET"])
@bp.route("/absences/ine/<int:ine>", methods=["GET"])
+@permission_required(Permission.APIView)
 def absences(etudid: int = None, nip: int = None, ine: int = None):
    """
    Retourne la liste des absences d'un étudiant donné
@ -50,6 +53,7 @@ def absences(etudid: int = None, nip: int = None, ine: int = None):
@bp.route("/absences/etudid/<int:etudid>/abs_just_only", methods=["GET"])
@bp.route("/absences/nip/<int:nip>/abs_just_only", methods=["GET"])
@bp.route("/absences/ine/<int:ine>/abs_just_only", methods=["GET"])
+@permission_required(Permission.APIView)
 def absences_justify(etudid: int = None, nip: int = None, ine: int = None):
    """
    Retourne la liste des absences justifiées d'un étudiant donné
@ -92,6 +96,7 @@ def absences_justify(etudid: int = None, nip: int = None, ine: int = None):
@bp.route("/absences/abs_signale?ine=<int:ine>&date=<string:date>&matin=<string:matin>&justif=<string:justif>"
          "&description=<string:description>&moduleimpl_id=<int:moduleimpl_id>", methods=["POST"])
@token_auth.login_required
+@permission_required(Permission.APIAbsChange)
 def abs_signale(date: datetime, matin: bool, justif: bool, etudid: int = None, nip: int = None, ine: int = None,
                description: str = None, moduleimpl_id: int = None):
    """
@ -214,6 +219,7 @@ def abs_signale(date: datetime, matin: bool, justif: bool, etudid: int = None, n
@bp.route("/absences/abs_annule?nip=<int:nip>&jour=<string:jour>&matin=<string:matin>", methods=["POST"])
@bp.route("/absences/abs_annule?ine=<int:ine>&jour=<string:jour>&matin=<string:matin>", methods=["POST"])
@token_auth.login_required
+@permission_required(Permission.APIAbsChange)
 def abs_annule(jour: datetime, matin: str, etudid: int = None, nip: int = None, ine: int = None):
    """
    Retourne un html
@ -251,6 +257,7 @@ def abs_annule(jour: datetime, matin: str, etudid: int = None, nip: int = None,
@bp.route("/absences/abs_annule_justif?nip=<int:nip>&jour=<string:jour>&matin=<string:matin>", methods=["POST"])
@bp.route("/absences/abs_annule_justif?ine=<int:ine>&jour=<string:jour>&matin=<string:matin>", methods=["POST"])
@token_auth.login_required
+@permission_required(Permission.APIAbsChange)
 def abs_annule_justif(jour: datetime, matin: str, etudid: int = None, nip: int = None, ine: int = None):
    """
    Retourne un html
@ -285,6 +292,7 @@ def abs_annule_justif(jour: datetime, matin: str, etudid: int = None, nip: int =


@bp.route("/absences/abs_group_etat/?group_id=<int:group_id>&date_debut=date_debut&date_fin=date_fin", methods=["GET"])
+@permission_required(Permission.APIView)
 def abs_groupe_etat(group_id: int, date_debut, date_fin, with_boursier=True, format="html"):
    """
    Retoune la liste des absences d'un ou plusieurs groupes entre deux dates
--- a/app/api/departements.py
+++ b/app/api/departements.py
@ -5,7 +5,9 @@ from app import models
 from app.api import bp
 from app.api.auth import token_auth
 from app.api.errors import error_response
+from app.decorators import permission_required
 from app.models import ApcReferentielCompetences
+from app.scodoc.sco_permissions import Permission
 from app.scodoc.sco_prepajury import feuille_preparation_jury
 from app.scodoc.sco_pvjury import formsemestre_pvjury
 from app.scodoc.sco_recapcomplet import formsemestre_recapcomplet
@ -14,7 +16,8 @@ from app.scodoc.sco_saisie_notes import notes_add


@bp.route("/departements", methods=["GET"])
-#@token_auth.login_required                 # Commenté le temps des tests
+@token_auth.login_required                 # Commenté le temps des tests
+@permission_required(Permission.APIView)
 def departements():
    """
    Retourne la liste des ids de départements visibles
@ -33,7 +36,8 @@ def departements():
@bp.route("/departements/<string:dept>/etudiants/liste", methods=["GET"])
@bp.route("/departements/<string:dept>/etudiants/liste/<int:formsemestre_id>", methods=["GET"])
 # @token_auth.login_required
-def liste_etudiants(dept: str, formsemestre_id=None):  # XXX TODO A REVOIR
+@permission_required(Permission.APIView)
+def liste_etudiants(dept: str, formsemestre_id=None):
    """
    Retourne la liste des étudiants d'un département

@ -137,6 +141,7 @@ def liste_etudiants(dept: str, formsemestre_id=None):  # XXX TODO A REVOIR

@bp.route("/departements/<string:dept>/semestres_courants", methods=["GET"])
 # @token_auth.login_required                # Commenté le temps des tests
+# @permission_required(Permission.APIView)
 def liste_semestres_courant(dept: str):
    """
    Liste des semestres actifs d'un départements donné
@ -195,6 +200,7 @@ def liste_semestres_courant(dept: str):


@bp.route("/departements/<string:dept>/formations/<int:formation_id>/referentiel_competences", methods=["GET"])
+@permission_required(Permission.APIView)
 def referenciel_competences(dept: str, formation_id: int):
    """
    Retourne le référentiel de compétences
@ -221,6 +227,7 @@ def referenciel_competences(dept: str, formation_id: int):


@bp.route("/departements/<string:dept>/formsemestre/<string:formsemestre_id>/programme", methods=["GET"])
+@permission_required(Permission.APIView)
 def semestre_index(dept: str, formsemestre_id: int):
    """
    Retourne la liste des Ues, ressources et SAE d'un semestre
--- a/app/api/etudiants.py
+++ b/app/api/etudiants.py
@ -4,11 +4,14 @@ from flask import jsonify
 from app import models
 from app.api import bp
 from app.api.errors import error_response
+from app.decorators import permission_required
 from app.scodoc.sco_bulletins_json import make_json_formsemestre_bulletinetud
 from app.scodoc.sco_groups import get_etud_groups
+from app.scodoc.sco_permissions import Permission


@bp.route("/etudiants", methods=["GET"])
+@permission_required(Permission.APIView)
 def etudiants():
    """
    Retourne la liste de tous les étudiants
@ -49,6 +52,7 @@ def etudiants():


@bp.route("/etudiants/courant", methods=["GET"])
+@permission_required(Permission.APIView)
 def etudiants_courant():
    """
    Retourne la liste des étudiants courant
@ -94,6 +98,7 @@ def etudiants_courant():
@bp.route("/etudiant/etudid/<int:etudid>", methods=["GET"])
@bp.route("/etudiant/nip/<int:nip>", methods=["GET"])
@bp.route("/etudiant/ine/<int:ine>", methods=["GET"])
+@permission_required(Permission.APIView)
 def etudiant(etudid: int = None, nip: int = None, ine: int = None):
    """
    Retourne les informations de l'étudiant correspondant à l'id passé en paramètres.
@ -138,6 +143,7 @@ def etudiant(etudid: int = None, nip: int = None, ine: int = None):
@bp.route("/etudiant/etudid/<int:etudid>/formsemestres")
@bp.route("/etudiant/nip/<int:nip>/formsemestres")
@bp.route("/etudiant/ine/<int:ine>/formsemestres")
+@permission_required(Permission.APIView)
 def etudiant_formsemestres(etudid: int = None, nip: int = None, ine: int = None):
    """
    Retourne la liste des semestres qu'un étudiant a suivis
@ -225,6 +231,7 @@ def etudiant_formsemestres(etudid: int = None, nip: int = None, ine: int = None)
@bp.route("/etudiant/etudid/<int:etudid>/formsemestre/<int:formsemestre_id>/bulletin", methods=["GET"])
@bp.route("/etudiant/nip/<int:nip>/formsemestre/<int:formsemestre_id>/bulletin", methods=["GET"])
@bp.route("/etudiant/ine/<int:ine>/formsemestre/<int:formsemestre_id>/bulletin", methods=["GET"])
+@permission_required(Permission.APIView)
 def etudiant_bulletin_semestre(formsemestre_id, etudid: int = None, nip: int = None, ine: int = None):
    """
    Retourne le bulletin d'un étudiant en fonction de son id et d'un semestre donné
@ -252,15 +259,10 @@ def etudiant_bulletin_semestre(formsemestre_id, etudid: int = None, nip: int = N
    # return error_response(501, message="Not implemented")


-@bp.route(
-    "/etudiant/etudid/<int:etudid>/semestre/<int:formsemestre_id>/groups", methods=["GET"]
-)
-@bp.route(
-    "/etudiant/nip/<int:nip>/semestre/<int:formsemestre_id>/groups", methods=["GET"]
-)
-@bp.route(
-    "/etudiant/ine/<int:ine>/semestre/<int:formsemestre_id>/groups", methods=["GET"]
-)
+@bp.route("/etudiant/etudid/<int:etudid>/semestre/<int:formsemestre_id>/groups", methods=["GET"])
+@bp.route("/etudiant/nip/<int:nip>/semestre/<int:formsemestre_id>/groups", methods=["GET"])
+@bp.route("/etudiant/ine/<int:ine>/semestre/<int:formsemestre_id>/groups", methods=["GET"])
+@permission_required(Permission.APIView)
 def etudiant_groups(formsemestre_id: int, etudid: int = None, nip: int = None, ine: int = None):
    """
    Retourne la liste des groupes auxquels appartient l'étudiant dans le semestre indiqué
--- a/app/api/evaluations.py
+++ b/app/api/evaluations.py
@ -5,10 +5,13 @@ from app import models
 from app.api import bp
 from app.api.auth import token_auth
 from app.api.errors import error_response
+from app.decorators import permission_required
 from app.scodoc.sco_evaluation_db import do_evaluation_get_all_notes
+from app.scodoc.sco_permissions import Permission


@bp.route("/evaluations/<int:moduleimpl_id>", methods=["GET"])
+@permission_required(Permission.APIView)
 def evaluations(moduleimpl_id: int):
    """
    Retourne la liste des évaluations à partir de l'id d'un moduleimpl
@ -26,6 +29,7 @@ def evaluations(moduleimpl_id: int):


@bp.route("/evaluations/eval_notes/<int:evaluation_id>", methods=["GET"])
+@permission_required(Permission.APIView)
 def evaluation_notes(evaluation_id: int):
    """
    Retourne la liste des notes à partir de l'id d'une évaluation donnée
@ -47,6 +51,7 @@ def evaluation_notes(evaluation_id: int):
@bp.route("/evaluations/eval_set_notes?eval_id=<int:eval_id>&nip=<int:nip>&note=<float:note>", methods=["POST"])
@bp.route("/evaluations/eval_set_notes?eval_id=<int:eval_id>&ine=<int:ine>&note=<float:note>", methods=["POST"])
@token_auth.login_required
+@permission_required(Permission.APIEditAllNotes)
 def evaluation_set_notes(eval_id: int, note: float, etudid: int = None, nip: int = None, ine: int = None):
    """
    Set les notes d'une évaluation pour un étudiant donnée
--- a/app/api/formations.py
+++ b/app/api/formations.py
@ -4,11 +4,14 @@ from flask import jsonify
 from app import models
 from app.api import bp
 from app.api.errors import error_response
+from app.decorators import permission_required
 from app.scodoc.sco_formations import formation_export
 from app.scodoc.sco_moduleimpl import moduleimpl_list
+from app.scodoc.sco_permissions import Permission


@bp.route("/formations", methods=["GET"])
+@permission_required(Permission.APIView)
 def formations():
    """
    Retourne la liste des formations
@ -23,6 +26,7 @@ def formations():


@bp.route("/formations/<int:formation_id>", methods=["GET"])
+@permission_required(Permission.APIView)
 def formations_by_id(formation_id: int):
    """
    Retourne une formation en fonction d'un id donné
@ -39,6 +43,7 @@ def formations_by_id(formation_id: int):


@bp.route("/formations/formation_export/<int:formation_id>", methods=["GET"])
+@permission_required(Permission.APIView)
 def formation_export_by_formation_id(formation_id: int, export_ids=False):
    """
    Retourne la formation, avec UE, matières, modules
@ -55,6 +60,7 @@ def formation_export_by_formation_id(formation_id: int, export_ids=False):


@bp.route("/formations/apo/<string:etape_apo>", methods=["GET"])
+@permission_required(Permission.APIView)
 def formsemestre_apo(etape_apo: int):
    """
    Retourne les informations sur les formsemestres
@ -75,6 +81,7 @@ def formsemestre_apo(etape_apo: int):


@bp.route("/formations/moduleimpl/<int:moduleimpl_id>", methods=["GET"])
+@permission_required(Permission.APIView)
 def moduleimpls(moduleimpl_id: int):
    """
    Retourne la liste des moduleimpl
@ -90,8 +97,8 @@ def moduleimpls(moduleimpl_id: int):
    return jsonify(data)


-@bp.route(
-    "/formations/moduleimpl/<int:moduleimpl_id>/formsemestre/<int:formsemestre_id>", methods=["GET"])
+@bp.route("/formations/moduleimpl/<int:moduleimpl_id>/formsemestre/<int:formsemestre_id>", methods=["GET"])
+@permission_required(Permission.APIView)
 def moduleimpls_sem(moduleimpl_id: int, formsemestre_id: int):
    """
    Retourne la liste des moduleimpl d'un semestre
--- a/app/api/formsemestres.py
+++ b/app/api/formsemestres.py
@ -4,12 +4,15 @@ from flask import jsonify
 from app import models
 from app.api import bp
 from app.api.errors import error_response
+from app.decorators import permission_required
 from app.scodoc.sco_bulletins import formsemestre_bulletinetud_dict
+from app.scodoc.sco_permissions import Permission
 from app.scodoc.sco_pvjury import formsemestre_pvjury
 from app.scodoc.sco_recapcomplet import formsemestre_recapcomplet


@bp.route("/formations/formsemestre/<int:formsemestre_id>", methods=["GET"])
+@permission_required(Permission.APIView)
 def formsemestre(formsemestre_id: int):
    """
    Retourne l'information sur le formsemestre correspondant au formsemestre_id
@ -38,6 +41,7 @@ def formsemestre(formsemestre_id: int):
    "/formsemestre/<int:formsemestre_id>/departements/<string:dept>/etudiant/ine/<int:ine>/bulletin",
    methods=["GET"],
 )
+@permission_required(Permission.APIView)
 def etudiant_bulletin(formsemestre_id, dept, etudid, format="json", *args, size):
    """
    Retourne le bulletin de note d'un étudiant
@ -63,6 +67,7 @@ def etudiant_bulletin(formsemestre_id, dept, etudid, format="json", *args, size)


@bp.route("/formsemestre/<int:formsemestre_id>/bulletins", methods=["GET"])
+@permission_required(Permission.APIView)
 def bulletins(formsemestre_id: int):
    """
    Retourne les bulletins d'un formsemestre donné
@ -81,6 +86,7 @@ def bulletins(formsemestre_id: int):


@bp.route("/formsemestre/<int:formsemestre_id>/jury", methods=["GET"])
+@permission_required(Permission.APIView)
 def jury(formsemestre_id: int):
    """
    Retourne le récapitulatif des décisions jury
--- a/app/api/logos.py
+++ b/app/api/logos.py
@ -36,6 +36,7 @@ from app.api import bp
 from app.api import requested_format
 from app.api.auth import token_auth
 from app.api.errors import error_response
+from app.decorators import permission_required
 from app.models import Departement
 from app.scodoc.sco_logos import list_logos, find_logo
 from app.scodoc.sco_permissions import Permission
@ -43,6 +44,7 @@ from app.scodoc.sco_permissions import Permission

@bp.route("/logos", methods=["GET"])
@token_auth.login_required
+@permission_required(Permission.APIView)
 def api_get_glob_logos():
    if not g.current_user.has_permission(Permission.ScoSuperAdmin, None):
        return error_response(401, message="accès interdit")
@ -55,6 +57,7 @@ def api_get_glob_logos():

@bp.route("/logos/<string:logoname>", methods=["GET"])
@token_auth.login_required
+@permission_required(Permission.APIView)
 def api_get_glob_logo(logoname):
    if not g.current_user.has_permission(Permission.ScoSuperAdmin, None):
        return error_response(401, message="accès interdit")
@ -71,6 +74,7 @@ def api_get_glob_logo(logoname):

@bp.route("/departements/<string:departement>/logos", methods=["GET"])
@token_auth.login_required
+@permission_required(Permission.APIView)
 def api_get_local_logos(departement):
    dept_id = Departement.from_acronym(departement).id
    if not g.current_user.has_permission(Permission.ScoChangePreferences, departement):
@ -81,6 +85,7 @@ def api_get_local_logos(departement):

@bp.route("/departements/<string:departement>/logos/<string:logoname>", methods=["GET"])
@token_auth.login_required
+@permission_required(Permission.APIView)
 def api_get_local_logo(departement, logoname):
    # format = requested_format("jpg", ['png', 'jpg']) XXX ?
    dept_id = Departement.from_acronym(departement).id
--- a/app/api/partitions.py
+++ b/app/api/partitions.py
@ -5,10 +5,13 @@ from app import models
 from app.api import bp
 from app.api.auth import token_auth
 from app.api.errors import error_response
+from app.decorators import permission_required
 from app.scodoc.sco_groups import get_group_members, setGroups
+from app.scodoc.sco_permissions import Permission


@bp.route("/partitions/<int:formsemestre_id>", methods=["GET"])
+@permission_required(Permission.APIView)
 def partition(formsemestre_id: int):
    """
    Retourne la liste de toutes les partitions d'un formsemestre
@ -31,6 +34,7 @@ def partition(formsemestre_id: int):
 # )
@bp.route("/partitions/groups/<int:group_id>", methods=["GET"])
@bp.route("/partitions/groups/<int:group_id>/etat/<string:etat>", methods=["GET"])
+@permission_required(Permission.APIView)
 def etud_in_group(group_id: int, etat=None):
    """
    Retourne la liste des étudiants dans un groupe
@ -61,6 +65,7 @@ def etud_in_group(group_id: int, etat=None):
    "groups_to_create=<int:groups_to_create>&groups_to_delete=<int:groups_to_delete>", methods=["POST"],
 )
@token_auth.login_required
+@permission_required(Permission.APIEtudChangeGroups)
 def set_groups(partition_id: int, groups_lists: int, groups_to_delete: int, groups_to_create: int):
    """
    Set les groups
--- a/app/api/test_api.py
+++ b/app/api/test_api.py
@ -13,11 +13,19 @@ SCODOC_PASSWORD = "admin"
 SCODOC_URL = "http://192.168.1.12:5000"
 CHECK_CERTIFICATE = bool(int(os.environ.get("CHECK_CERTIFICATE", False)))

-# r0 = requests.post(
-#     SCODOC_URL + "/ScoDoc/api/tokens", auth=(SCODOC_USER, SCODOC_PASSWORD)
-#     )
-# token = r0.json()["token"]
-# HEADERS = {"Authorization": f"Bearer {token}"}
+HEADERS = None
+
+def get_token():
+    """
+    Permet de set le token dans le header
+    """
+    global HEADERS
+    r0 = requests.post(
+        SCODOC_URL + "/ScoDoc/api/tokens", auth=(SCODOC_USER, SCODOC_PASSWORD)
+        )
+    token = r0.json()["token"]
+    HEADERS = {"Authorization": f"Bearer {token}"}
+

 DEPT = None
 FORMSEMESTRE = None
@ -29,10 +37,16 @@ def get_departement():
    """
    Permet de tester departements() mais également de set un département dans DEPT pour la suite des tests
    """
+
+    get_token()
+
+    global HEADERS
+
+    print(HEADERS)
    # departements
    r = requests.get(
        SCODOC_URL + "/ScoDoc/api/departements",
-        auth=(SCODOC_USER, SCODOC_PASSWORD)
+        headers=HEADERS, verify=CHECK_CERTIFICATE
    )

    if r.status_code == 200:
--- a/app/scodoc/sco_permissions.py
+++ b/app/scodoc/sco_permissions.py
@ -48,10 +48,10 @@ _SCO_PERMISSIONS = (
    (1 << 25, "RelationsEntreprisesSend", "Envoyer des offres"),
    (1 << 26, "RelationsEntreprisesValidate", "Valide les entreprises"),
    # Api scodoc9
-    (1 << 27, "APIView", ""),
-    (1 << 28, "APIEtudChangeGroups", ""),
-    (1 << 29, "APIEditAllNotes", ""),
-    (1 << 30, "APIAbsChange", ""),
+    (1 << 27, "APIView", "Voir"),
+    (1 << 28, "APIEtudChangeGroups", "Modifier les groupes"),
+    (1 << 29, "APIEditAllNotes", "Modifier toutes les notes"),
+    (1 << 30, "APIAbsChange", "Saisir des absences"),
 )