feat: Update RBAC checks for assignments

2025-12-19 04:19:25 +00:00 · 2024-08-08 00:28:33 +02:00 · 2024-08-08 00:28:33 +02:00 · 360c6b1e1a
commit 360c6b1e1a
parent 364c24e15d
2 changed files with 38 additions and 9 deletions
--- a/apps/api/src/services/courses/activities/assignments.py
+++ b/apps/api/src/services/courses/activities/assignments.py
@ -1,7 +1,3 @@
 ####################################################
 # CRUD
 ####################################################
 from datetime import datetime
 from typing import Literal
 from uuid import uuid4
@ -553,7 +549,7 @@ async def put_assignment_task_submission_file(
    org = db_session.exec(org_statement).first()
    # RBAC check
-    await rbac_check(request, course.course_uuid, current_user, "read", db_session)
+    await rbac_check(request, course.course_uuid, current_user, "update", db_session)
    # Upload reference file
    if sub_file and sub_file.filename and activity and org:
@ -948,7 +944,7 @@ async def update_assignment_task_submission(
        )
    # RBAC check
-    await rbac_check(request, course.course_uuid, current_user, "update", db_session)
+    await rbac_check(request, course.course_uuid, current_user, "read", db_session)
    # Update only the fields that were passed in
    for var, value in vars(assignment_task_submission_object).items():
@ -1083,7 +1079,7 @@ async def create_assignment_submission(
        )
    # RBAC check
-    await rbac_check(request, course.course_uuid, current_user, "create", db_session)
+    await rbac_check(request, course.course_uuid, current_user, "update", db_session)
    # Create Assignment User Submission
    assignment_user_submission = AssignmentUserSubmission(
@ -1319,7 +1315,7 @@ async def update_assignment_submission(
        )
    # RBAC check
-    await rbac_check(request, course.course_uuid, current_user, "update", db_session)
+    await rbac_check(request, course.course_uuid, current_user, "read", db_session)
    # Update only the fields that were passed in
    for var, value in vars(assignment_user_submission_object).items():
@ -1405,6 +1401,18 @@ async def grade_assignment_submission(
            detail="Assignment not found",
        )
    statement = select(Course).where(Course.id == assignment.course_id)
    course = db_session.exec(statement).first()
    if not course:
        raise HTTPException(
            status_code=404,
            detail="Course not found",
        )
    await rbac_check(request, course.course_uuid, current_user, "update", db_session)
    # Check if assignment user submission exists
    statement = select(AssignmentUserSubmission).where(
        AssignmentUserSubmission.user_id == user_id,
@ -1535,6 +1543,18 @@ async def mark_activity_as_done_for_user(
    statement = select(Activity).where(Activity.id == assignment.activity_id)
    activity = db_session.exec(statement).first()
    statement = select(Course).where(Course.id == assignment.course_id)
    course = db_session.exec(statement).first()
    if not course:
        raise HTTPException(
            status_code=404,
            detail="Course not found",
        )
    await rbac_check(request, course.course_uuid, current_user, "update", db_session)
    if not activity:
        raise HTTPException(
            status_code=404,
--- a/apps/web/app/orgs/[orgslug]/dash/assignments/page.tsx
+++ b/apps/web/app/orgs/[orgslug]/dash/assignments/page.tsx
@ -6,7 +6,7 @@ import { getAPIUrl, getUriWithOrg } from '@services/config/config';
 import { getAssignmentsFromACourse } from '@services/courses/assignments';
 import { getCourseThumbnailMediaDirectory } from '@services/media/media';
 import { swrFetcher } from '@services/utils/ts/requests';
-import { Book, EllipsisVertical, GalleryVertical, GalleryVerticalEnd, Layers2, PenBox, UserRoundPen } from 'lucide-react';
+import { Book, EllipsisVertical, GalleryVertical, GalleryVerticalEnd, Info, Layers2, PenBox, UserRoundPen } from 'lucide-react';
 import Link from 'next/link';
 import React from 'react'
 import useSWR from 'swr';
@ -113,6 +113,15 @@ function AssignmentsHome() {
                    </div>
                  </div>
                ))}
                {assignments.length === 0 && (
                  <>
                    <div className='flex mx-auto space-x-2 font-semibold mt-3 text-gray-600 items-center'>
                      <Info size={20} />
                      <p>No assignments available for this course, create course assignments from the course editor</p>
                    </div>
                  </>
                  )}
              </div>
            </div>
          ))}