From 592100b41150176a1c01ae5d7b2ac2b5695d6012 Mon Sep 17 00:00:00 2001 From: ticoucke Date: Tue, 12 Mar 2024 23:14:35 +0100 Subject: [PATCH] Alle permissies toegevoegd en getest --- api/models/gebruiker.py | 2 +- api/serializers/score.py | 5 +++ api/utils.py | 17 +++++++++- api/views/gebruiker.py | 29 +++++++++++----- api/views/groep.py | 49 ++++++++++++++++----------- api/views/indiening.py | 35 ++++++++++++++----- api/views/project.py | 49 ++++++++++++++++----------- api/views/score.py | 52 ++++++++++++++++++----------- api/views/vak.py | 50 +++++++++++++++------------ api/views/views.py | 2 ++ frontend/frontend/package-lock.json | 19 +---------- 11 files changed, 193 insertions(+), 116 deletions(-) diff --git a/api/models/gebruiker.py b/api/models/gebruiker.py index 26b8882a..8b26f94b 100644 --- a/api/models/gebruiker.py +++ b/api/models/gebruiker.py @@ -7,4 +7,4 @@ class Gebruiker(models.Model): is_lesgever = models.BooleanField(default=False) def __str__(self): - return self.user.first_name + self.user.last_name + return self.user.first_name + ' ' + self.user.last_name diff --git a/api/serializers/score.py b/api/serializers/score.py index 50625d71..ca13ff08 100644 --- a/api/serializers/score.py +++ b/api/serializers/score.py @@ -15,6 +15,7 @@ def create(self, validated_data): def update(self, instance, validated_data): validate_score(validated_data) + validate_indiening(instance, validated_data) super().update(instance=instance, validated_data=validated_data) instance.save() return instance @@ -24,4 +25,8 @@ def validate_score(data): if data['score'] > max_score: raise serializers.ValidationError(f'Score kan niet hoger zijn dan de maximale score van {max_score}') +def validate_indiening(instance, data): + if instance.indiening != data.get('indiening'): + raise serializers.ValidationError('indiening_id kan niet aangepast worden') + diff --git a/api/utils.py b/api/utils.py index d1df784c..f51ee762 100644 --- a/api/utils.py +++ b/api/utils.py @@ -1,4 +1,5 @@ from django.conf import settings +from api.models.gebruiker import Gebruiker import requests @@ -7,6 +8,7 @@ 'vakken': '/api/vakken', 'groepen': '/api/groepen', 'indieningen': '/api/indieningen', + 'indiening_bestanden': '/api/indiening_bestanden', 'scores': 'api/scores', 'projecten': 'api/projecten' } @@ -30,5 +32,18 @@ def get_graph_token(): response = requests.post(url=url, headers=headers, data=data) return response.json() - except: + except Exception: return None + +def is_lesgever(user): + if user.is_superuser: + return True + gebruiker = Gebruiker.objects.get(pk=user.id) + return gebruiker.is_lesgever + +def contains(lijst, user): + gebruiker = Gebruiker.objects.get(pk=user.id) + return lijst.all().contains(gebruiker) + +def get_gebruiker(user): + return Gebruiker.objects.get(pk=user.id) diff --git a/api/views/gebruiker.py b/api/views/gebruiker.py index 2e49f553..08cba371 100644 --- a/api/views/gebruiker.py +++ b/api/views/gebruiker.py @@ -5,13 +5,18 @@ from api.models.gebruiker import Gebruiker from api.serializers.gebruiker import GebruikerSerializer +from api.utils import is_lesgever + @api_view(['GET']) def gebruiker_list(request): if request.method == 'GET': - gebruikers = Gebruiker.objects.all() + if is_lesgever(request.user): + gebruikers = Gebruiker.objects.all() + else: + gebruikers = Gebruiker.objects.filter(user=request.user.id) if 'is_lesgever' in request.GET and request.GET.get('is_lesgever').lower() in ['true', 'false']: gebruikers = gebruikers.filter(is_lesgever = (request.GET.get('is_lesgever').lower() == 'true')) @@ -19,6 +24,7 @@ def gebruiker_list(request): serializer = GebruikerSerializer(gebruikers, many=True) return Response(serializer.data) + return Response(status=status.HTTP_403_FORBIDDEN) @api_view(['GET', 'PUT']) @@ -29,12 +35,19 @@ def gebruiker_detail(request, id): return Response(status=status.HTTP_404_NOT_FOUND) if request.method == 'GET': - serializer = GebruikerSerializer(gebruiker) - return Response(serializer.data) - if request.method == 'PUT': - serializer = GebruikerSerializer(gebruiker, data=request.data) - if serializer.is_valid(): - serializer.save() + if is_lesgever(request.user) or id == request.user.id: + serializer = GebruikerSerializer(gebruiker) return Response(serializer.data) - return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + return Response(status=status.HTTP_403_FORBIDDEN) + elif request.method == 'PUT': + if request.user.is_superuser: + serializer = GebruikerSerializer(gebruiker, data=request.data) + if serializer.is_valid(): + serializer.save() + return Response(serializer.data) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + return Response(status=status.HTTP_403_FORBIDDEN) + + + diff --git a/api/views/groep.py b/api/views/groep.py index 359f9535..db7cffb6 100644 --- a/api/views/groep.py +++ b/api/views/groep.py @@ -4,13 +4,16 @@ from api.models.groep import Groep from api.serializers.groep import GroepSerializer +from api.utils import is_lesgever, contains @api_view(['GET', 'POST']) def groep_list(request, format=None): - if request.method == 'GET': - groepen = Groep.objects.all() + if is_lesgever(request.user): + groepen = Groep.objects.all() + else: + groepen = Groep.objects.filter(studenten=request.user.id) if "project" in request.GET: try: @@ -29,13 +32,16 @@ def groep_list(request, format=None): serializer = GroepSerializer(groepen, many=True) return Response(serializer.data) - + + elif request.method == 'POST': - serializer = GroepSerializer(data=request.data) - if serializer.is_valid(): - serializer.save() - return Response(serializer.data, status=status.HTTP_201_CREATED) - return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + if is_lesgever(request.user): + serializer = GroepSerializer(data=request.data) + if serializer.is_valid(): + serializer.save() + return Response(serializer.data, status=status.HTTP_201_CREATED) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + return Response(status=status.HTTP_403_FORBIDDEN) @api_view(['GET', 'PUT', 'DELETE']) def groep_detail(request, id, format=None): @@ -43,18 +49,21 @@ def groep_detail(request, id, format=None): groep = Groep.objects.get(pk=id) except Groep.DoesNotExist: return Response(status=status.HTTP_404_NOT_FOUND) - if request.method == 'GET': - serializer = GroepSerializer(groep) - return Response(serializer.data) - - elif request.method == 'PUT': - serializer = GroepSerializer(groep, data=request.data) - if serializer.is_valid(): - serializer.save() + if is_lesgever(request.user) or contains(groep.studenten, request.user): + serializer = GroepSerializer(groep) return Response(serializer.data) - return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + return Response(status=status.HTTP_403_FORBIDDEN) - elif request.method == 'DELETE': - groep.delete() - return Response(status=status.HTTP_204_NO_CONTENT) \ No newline at end of file + if is_lesgever(request.user): + if request.method == 'PUT': + serializer = GroepSerializer(groep, data=request.data) + if serializer.is_valid(): + serializer.save() + return Response(serializer.data) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + + elif request.method == 'DELETE': + groep.delete() + return Response(status=status.HTTP_204_NO_CONTENT) + return Response(status=status.HTTP_403_FORBIDDEN) \ No newline at end of file diff --git a/api/views/indiening.py b/api/views/indiening.py index 670c675d..8fdc6a6c 100644 --- a/api/views/indiening.py +++ b/api/views/indiening.py @@ -3,14 +3,19 @@ from rest_framework import status from api.models.indiening import Indiening, IndieningBestand +from api.models.groep import Groep from api.serializers.indiening import IndieningSerializer, IndieningBestandSerializer +from api.utils import is_lesgever, contains @api_view(['GET', 'POST']) def indiening_list(request, format=None): - if request.method == 'GET': - indieningen = Indiening.objects.all() + if is_lesgever(request.user): + indieningen = Indiening.objects.all() + else: + groepen = Groep.objects.filter(studenten=request.user.id) + indieningen = Indiening.objects.filter(groep__in=groepen) if "groep" in request.GET: try: @@ -47,12 +52,16 @@ def indiening_detail(request, id, format=None): return Response(status=status.HTTP_404_NOT_FOUND) if request.method == 'GET': - serializer = IndieningSerializer(indiening) - return Response(serializer.data) + if is_lesgever(request.user) or contains(indiening.groep.studenten, request.user): + serializer = IndieningSerializer(indiening) + return Response(serializer.data) + return Response(status=status.HTTP_403_FORBIDDEN) elif request.method == 'DELETE': - indiening.delete() - return Response(status=status.HTTP_204_NO_CONTENT) + if is_lesgever(request.user) or contains(indiening.groep.studenten, request.user): + indiening.delete() + return Response(status=status.HTTP_204_NO_CONTENT) + return Response(status=status.HTTP_403_FORBIDDEN) @@ -60,7 +69,13 @@ def indiening_detail(request, id, format=None): def indiening_bestand_list(request, format=None): if request.method == 'GET': - indieningen_bestanden = IndieningBestand.objects.all() + if is_lesgever(request.user): + indieningen_bestanden = IndieningBestand.objects.all() + else: + groepen = Groep.objects.filter(studenten=request.user.id) + indieningen = Indiening.objects.filter(groep__in=groepen) + indieningen_bestanden = IndieningBestand.objects.filter(indiening__in=indieningen) + if "indiening" in request.GET: try: @@ -81,5 +96,7 @@ def indiening_bestand_detail(request, id, format=None): return Response(status=status.HTTP_404_NOT_FOUND) if request.method == 'GET': - serializer = IndieningBestandSerializer(indiening_bestand) - return Response(serializer.data) + if is_lesgever(request.user) or contains(indiening_bestand.indiening.groep.studenten, request.user): + serializer = IndieningBestandSerializer(indiening_bestand) + return Response(serializer.data) + return Response(status=status.HTTP_403_FORBIDDEN) diff --git a/api/views/project.py b/api/views/project.py index 21e40e47..5bd20d19 100644 --- a/api/views/project.py +++ b/api/views/project.py @@ -3,14 +3,19 @@ from rest_framework import status from api.models.project import Project +from api.models.vak import Vak from api.serializers.project import ProjectSerializer +from api.utils import is_lesgever, contains @api_view(['GET', 'POST']) def project_list(request, format=None): - if request.method == 'GET': - projects = Project.objects.all() + if is_lesgever(request.user): + projects = Project.objects.all() + else: + vakken = Vak.objects.filter(studenten=request.user.id) + projects = Project.objects.filter(vak__in=vakken) if 'vak' in request.GET: try: @@ -23,12 +28,14 @@ def project_list(request, format=None): return Response(serializer.data) elif request.method == 'POST': - serializer = ProjectSerializer(data=request.data) - if serializer.is_valid(): - serializer.save() - return Response(serializer.data, status=status.HTTP_201_CREATED) - return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) - + if is_lesgever(request.user): + serializer = ProjectSerializer(data=request.data) + if serializer.is_valid(): + serializer.save() + return Response(serializer.data, status=status.HTTP_201_CREATED) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + return Response(status=status.HTTP_403_FORBIDDEN) + @api_view(['GET', 'PUT', 'DELETE']) def project_detail(request, id, format=None): try: @@ -37,16 +44,20 @@ def project_detail(request, id, format=None): return Response(status=status.HTTP_404_NOT_FOUND) if request.method == 'GET': - serializer = ProjectSerializer(project) - return Response(serializer.data) - - elif request.method == 'PUT': - serializer = ProjectSerializer(project, data=request.data) - if serializer.is_valid(): - serializer.save() + if is_lesgever(request.user) or contains(project.vak.studenten, request.user): + serializer = ProjectSerializer(project) return Response(serializer.data) - return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + return Response(status=status.HTTP_403_FORBIDDEN) - elif request.method == 'DELETE': - project.delete() - return Response(status=status.HTTP_204_NO_CONTENT) + if is_lesgever(request.user): + if request.method == 'PUT': + serializer = ProjectSerializer(project, data=request.data) + if serializer.is_valid(): + serializer.save() + return Response(serializer.data) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + + elif request.method == 'DELETE': + project.delete() + return Response(status=status.HTTP_204_NO_CONTENT) + return Response(status=status.HTTP_403_FORBIDDEN) diff --git a/api/views/score.py b/api/views/score.py index af5798d5..97239c4e 100644 --- a/api/views/score.py +++ b/api/views/score.py @@ -3,14 +3,22 @@ from rest_framework import status from api.models.score import Score +from api.models.groep import Groep +from api.models.indiening import Indiening from api.serializers.score import ScoreSerializer +from api.utils import is_lesgever, contains @api_view(['GET', 'POST']) def score_list(request, format=None): if request.method == 'GET': - scores = Score.objects.all() + if is_lesgever(request.user): + scores = Score.objects.all() + else: + groepen = Groep.objects.filter(studenten=request.user.id) + indieningen = Indiening.objects.filter(groep__in=groepen) + scores = Score.objects.filter(indiening__in=indieningen) if "indiening" in request.GET: try: @@ -23,11 +31,13 @@ def score_list(request, format=None): return Response(serializer.data) elif request.method == 'POST': - serializer = ScoreSerializer(data=request.data) - if serializer.is_valid(): - serializer.save() - return Response(serializer.data, status=status.HTTP_201_CREATED) - return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + if is_lesgever(request.user): + serializer = ScoreSerializer(data=request.data) + if serializer.is_valid(): + serializer.save() + return Response(serializer.data, status=status.HTTP_201_CREATED) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + return Response(status=status.HTTP_403_FORBIDDEN) @api_view(['GET', 'PUT', 'DELETE']) def score_detail(request, id, format=None): @@ -35,18 +45,22 @@ def score_detail(request, id, format=None): score = Score.objects.get(pk=id) except Score.DoesNotExist: return Response(status=status.HTTP_404_NOT_FOUND) - - if request.method == 'GET': - serializer = ScoreSerializer(score) - return Response(serializer.data) - elif request.method == 'PUT': - serializer = ScoreSerializer(score, data=request.data) - if serializer.is_valid(): - serializer.save() + if request.method == 'GET': + if is_lesgever(request.user) or contains(score.indiening.groep.studenten, request.user): + serializer = ScoreSerializer(score) return Response(serializer.data) - return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) - - elif request.method == 'DELETE': - score.delete() - return Response(status=status.HTTP_204_NO_CONTENT) + return Response(status=status.HTTP_403_FORBIDDEN) + + if is_lesgever(request.user): + if request.method == 'PUT': + serializer = ScoreSerializer(score, data=request.data) + if serializer.is_valid(): + serializer.save() + return Response(serializer.data) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + + elif request.method == 'DELETE': + score.delete() + return Response(status=status.HTTP_204_NO_CONTENT) + return Response(status=status.HTTP_403_FORBIDDEN) diff --git a/api/views/vak.py b/api/views/vak.py index 1d266ab8..ab6561bd 100644 --- a/api/views/vak.py +++ b/api/views/vak.py @@ -4,6 +4,7 @@ from api.models.vak import Vak from api.serializers.vak import VakSerializer +from api.utils import is_lesgever, contains from django.core.exceptions import ValidationError @@ -12,18 +13,22 @@ def vak_list(request, format=None): if request.method == 'GET': - lesgevers = Vak.objects.all() - serializer = VakSerializer(lesgevers, many=True) + if is_lesgever(request.user): + vakken = Vak.objects.all() + else: + vakken = Vak.objects.filter(studenten=request.user.id) + + serializer = VakSerializer(vakken, many=True) return Response(serializer.data) elif request.method == 'POST': - try: + if is_lesgever(request.user): serializer = VakSerializer(data=request.data) if serializer.is_valid(): serializer.save() return Response(serializer.data, status=status.HTTP_201_CREATED) - except ValidationError as e: - return Response({'error': e}, status=status.HTTP_400_BAD_REQUEST) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + return Response(status=status.HTTP_403_FORBIDDEN) @api_view(['GET', 'PUT', 'DELETE']) @@ -34,19 +39,22 @@ def vak_detail(request, id, format=None): return Response(status=status.HTTP_404_NOT_FOUND) if request.method == 'GET': - serializer = VakSerializer(vak) - return Response(serializer.data) - - elif request.method == 'PUT': - try: - serializer = VakSerializer(vak, data=request.data) - if serializer.is_valid(): - serializer.save() - return Response(serializer.data) - return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) - except ValidationError as e: - return Response({'error': e}, status=status.HTTP_400_BAD_REQUEST) - - elif request.method == 'DELETE': - vak.delete() - return Response(status=status.HTTP_204_NO_CONTENT) + if is_lesgever(request.user) or contains(vak.studenten, request.user): + serializer = VakSerializer(vak) + return Response(serializer.data) + return Response(status=status.HTTP_403_FORBIDDEN) + if is_lesgever(request.user): + if request.method == 'PUT': + try: + serializer = VakSerializer(vak, data=request.data) + if serializer.is_valid(): + serializer.save() + return Response(serializer.data) + return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) + except ValidationError as e: + return Response({'error': e}, status=status.HTTP_400_BAD_REQUEST) + + elif request.method == 'DELETE': + vak.delete() + return Response(status=status.HTTP_204_NO_CONTENT) + return Response(status=status.HTTP_403_FORBIDDEN) diff --git a/api/views/views.py b/api/views/views.py index ed629af6..ce5801b7 100644 --- a/api/views/views.py +++ b/api/views/views.py @@ -8,6 +8,8 @@ def login_redirect(request): + print(get_graph_token()) + gebruiker_post_data = { 'user': request.user.id, 'subjects': [], diff --git a/frontend/frontend/package-lock.json b/frontend/frontend/package-lock.json index 2c201475..1eae7934 100644 --- a/frontend/frontend/package-lock.json +++ b/frontend/frontend/package-lock.json @@ -24,8 +24,7 @@ "react-helmet": "^6.1.0", "react-helmet-async": "^2.0.4", "react-i18next": "^14.0.5", - "react-router-dom": "^6.22.2", - "sort-by": "^1.2.0" + "react-router-dom": "^6.22.2" }, "devDependencies": { "@types/react": "^18.2.56", @@ -3413,14 +3412,6 @@ "node": ">=0.10.0" } }, - "node_modules/object-path": { - "version": "0.6.0", - "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.6.0.tgz", - "integrity": "sha512-fxrwsCFi3/p+LeLOAwo/wyRMODZxdGBtUlWRzsEpsUVrisZbEfZ21arxLGfaWfcnqb8oHPNihIb4XPE8CQPN5A==", - "engines": { - "node": ">=0.8.0" - } - }, "node_modules/once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", @@ -3983,14 +3974,6 @@ "node": ">=8" } }, - "node_modules/sort-by": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/sort-by/-/sort-by-1.2.0.tgz", - "integrity": "sha512-aRyW65r3xMnf4nxJRluCg0H/woJpksU1dQxRtXYzau30sNBOmf5HACpDd9MZDhKh7ALQ5FgSOfMPwZEtUmMqcg==", - "dependencies": { - "object-path": "0.6.0" - } - }, "node_modules/source-map": { "version": "0.5.7", "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz",