fix: mutations issues + trail + next canary bump

src/services/courses/activities/activities.py

@@ -21,6 +21,7 @@ class ActivityInDB(Activity):
     creationDate: str
     updateDate: str
 
+
 #### Classes ####################################################
 
 
@@ -29,58 +30,102 @@ class ActivityInDB(Activity):
 ####################################################
 
 
-async def create_activity(request: Request, activity_object: Activity, org_id: str, coursechapter_id: str, current_user: PublicUser):
+async def create_activity(
+    request: Request,
+    activity_object: Activity,
+    org_id: str,
+    coursechapter_id: str,
+    current_user: PublicUser,
+):
     activities = request.app.db["activities"]
     courses = request.app.db["courses"]
 
     # generate activity_id
     activity_id = str(f"activity_{uuid4()}")
 
-    hasRoleRights = await verify_user_rights_with_roles(request, "create", current_user.user_id, activity_id, org_id)
+    hasRoleRights = await verify_user_rights_with_roles(
+        request, "create", current_user.user_id, activity_id, org_id
+    )
 
     if not hasRoleRights:
         raise HTTPException(
-            status_code=status.HTTP_409_CONFLICT, detail="Roles : Insufficient rights to perform this action")
+            status_code=status.HTTP_409_CONFLICT,
+            detail="Roles : Insufficient rights to perform this action",
+        )
 
     # create activity
-    activity = ActivityInDB(**activity_object.dict(), creationDate=str(
-        datetime.now()), coursechapter_id=coursechapter_id, updateDate=str(datetime.now()), activity_id=activity_id, org_id=org_id)
+    activity = ActivityInDB(
+        **activity_object.dict(),
+        creationDate=str(datetime.now()),
+        coursechapter_id=coursechapter_id,
+        updateDate=str(datetime.now()),
+        activity_id=activity_id,
+        org_id=org_id,
+    )
     await activities.insert_one(activity.dict())
 
     # update chapter
-    await courses.update_one({"chapters_content.coursechapter_id": coursechapter_id}, {
-        "$addToSet": {"chapters_content.$.activities": activity_id}})
+    await courses.update_one(
+        {"chapters_content.coursechapter_id": coursechapter_id},
+        {"$addToSet": {"chapters_content.$.activities": activity_id}},
+    )
 
     return activity
 
 
 async def get_activity(request: Request, activity_id: str, current_user: PublicUser):
     activities = request.app.db["activities"]
+    courses = request.app.db["courses"]
 
     activity = await activities.find_one({"activity_id": activity_id})
 
-    # verify course rights
-    hasRoleRights = await verify_user_rights_with_roles(request, "read", current_user.user_id, activity_id, element_org_id=activity["org_id"])
+    # get course_id from activity
+    coursechapter_id = activity["coursechapter_id"]
+    course = await courses.find_one({"chapters": coursechapter_id})
 
-    if not hasRoleRights:
+    isCoursePublic = course["public"]
+
+    # verify course rights
+    hasRoleRights = await verify_user_rights_with_roles(
+        request,
+        "read",
+        current_user.user_id,
+        activity_id,
+        element_org_id=activity["org_id"],
+    )
+
+    if not hasRoleRights and not isCoursePublic:
         raise HTTPException(
-            status_code=status.HTTP_409_CONFLICT, detail="Roles : Insufficient rights to perform this action")
+            status_code=status.HTTP_409_CONFLICT,
+            detail="Roles : Insufficient rights to perform this action",
+        )
 
     if not activity:
         raise HTTPException(
-            status_code=status.HTTP_409_CONFLICT, detail="Course does not exist")
+            status_code=status.HTTP_409_CONFLICT, detail="Course does not exist"
+        )
 
     activity = ActivityInDB(**activity)
     return activity
 
 
-async def update_activity(request: Request, activity_object: Activity, activity_id: str, current_user: PublicUser):
-
+async def update_activity(
+    request: Request,
+    activity_object: Activity,
+    activity_id: str,
+    current_user: PublicUser,
+):
     activities = request.app.db["activities"]
 
     activity = await activities.find_one({"activity_id": activity_id})
     # verify course rights
-    await verify_user_rights_with_roles(request, "update", current_user.user_id, activity_id, element_org_id=activity["org_id"])
+    await verify_user_rights_with_roles(
+        request,
+        "update",
+        current_user.user_id,
+        activity_id,
+        element_org_id=activity["org_id"],
+    )
 
     if activity:
         creationDate = activity["creationDate"]
@@ -89,30 +134,44 @@ async def update_activity(request: Request, activity_object: Activity, activity_
         datetime_object = datetime.now()
 
         updated_course = ActivityInDB(
-            activity_id=activity_id, coursechapter_id=activity["coursechapter_id"], creationDate=creationDate, updateDate=str(datetime_object), org_id=activity["org_id"], **activity_object.dict())
+            activity_id=activity_id,
+            coursechapter_id=activity["coursechapter_id"],
+            creationDate=creationDate,
+            updateDate=str(datetime_object),
+            org_id=activity["org_id"],
+            **activity_object.dict(),
+        )
 
-        await activities.update_one({"activity_id": activity_id}, {
-            "$set": updated_course.dict()})
+        await activities.update_one(
+            {"activity_id": activity_id}, {"$set": updated_course.dict()}
+        )
 
         return ActivityInDB(**updated_course.dict())
 
     else:
         raise HTTPException(
-            status_code=status.HTTP_409_CONFLICT, detail="activity does not exist")
+            status_code=status.HTTP_409_CONFLICT, detail="activity does not exist"
+        )
 
 
 async def delete_activity(request: Request, activity_id: str, current_user: PublicUser):
-
     activities = request.app.db["activities"]
 
     activity = await activities.find_one({"activity_id": activity_id})
 
     # verify course rights
-    await verify_user_rights_with_roles(request, "delete", current_user.user_id, activity_id, element_org_id=activity["org_id"])
+    await verify_user_rights_with_roles(
+        request,
+        "delete",
+        current_user.user_id,
+        activity_id,
+        element_org_id=activity["org_id"],
+    )
 
     if not activity:
         raise HTTPException(
-            status_code=status.HTTP_409_CONFLICT, detail="activity does not exist")
+            status_code=status.HTTP_409_CONFLICT, detail="activity does not exist"
+        )
 
     isDeleted = await activities.delete_one({"activity_id": activity_id})
 
@@ -120,26 +179,30 @@ async def delete_activity(request: Request, activity_id: str, current_user: Publ
         return {"detail": "activity deleted"}
     else:
         raise HTTPException(
-            status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="Unavailable database")
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail="Unavailable database",
+        )
+
 
 ####################################################
 # Misc
 ####################################################
 
 
-async def get_activities(request: Request, coursechapter_id: str,  current_user: PublicUser):
+async def get_activities(
+    request: Request, coursechapter_id: str, current_user: PublicUser
+):
     activities = request.app.db["activities"]
 
-    # TODO : TERRIBLE SECURITY ISSUE HERE, NEED TO FIX ASAP
-    # TODO : TERRIBLE SECURITY ISSUE HERE, NEED TO FIX ASAP
-    # TODO : TERRIBLE SECURITY ISSUE HERE, NEED TO FIX ASAP
-
     activities = activities.find({"coursechapter_id": coursechapter_id})
 
     if not activities:
         raise HTTPException(
-            status_code=status.HTTP_409_CONFLICT, detail="Course does not exist")
+            status_code=status.HTTP_409_CONFLICT, detail="Course does not exist"
+        )
 
-    activities = [ActivityInDB(**activity) for activity in await activities.to_list(length=100)]
+    activities = [
+        ActivityInDB(**activity) for activity in await activities.to_list(length=100)
+    ]
 
     return activities