BC-5809 Exclude student from topic draft mode. (#4664)

* Added restrictToUsersCoursesLessons to exclude student from topic draft.
hpi-schul-cloud · Jan 5, 2024 · 0a672f2 · 0a672f2
1 parent 7e8b01d
commit 0a672f2
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/src/services/lesson/hooks/index.js b/src/services/lesson/hooks/index.js
@@ -3,7 +3,7 @@ const { Configuration } = require('@hpi-schul-cloud/commons');
 
 const { nanoid } = require('nanoid');
 const { iff, isProvider } = require('feathers-hooks-common');
-const { NotFound, BadRequest } = require('../../../errors');
+const { NotFound, BadRequest, Forbidden } = require('../../../errors');
 const { equal } = require('../../../helper/compare').ObjectId;
 const {
 	injectUserId,
@@ -204,6 +204,19 @@ const restrictToUsersCoursesLessons = async (context) => {
 	return context;
 };
 
+const restrictToUsersDraftLessons = async (context) => {
+	const user = await context.app.service('users').get(context.params.account.userId, { query: { $populate: 'roles' } });
+	const userIsStudent = user.roles.filter((u) => u.name === 'student').length > 0;
+	const lesson = await context.app.service('lessons').get(context.id);
+	const isDraft = lesson.hidden;
+
+	if (isDraft && userIsStudent) {
+		throw new Forbidden(`You don't have permission.`);
+	}
+
+	return context;
+};
+
 const populateWhitelist = {
 	materialIds: [
 		'_id',
@@ -236,12 +249,12 @@ exports.before = () => {
 			hasPermission('TOPIC_VIEW'),
 			iff(isProvider('external'), validateLessonFind),
 			iff(isProvider('external'), getRestrictPopulatesHook(populateWhitelist)),
-			iff(isProvider('external'), restrictToUsersCoursesLessons),
+			iff(isProvider('external'), restrictToUsersCoursesLessons, restrictToUsersDraftLessons),
 		],
 		get: [
 			hasPermission('TOPIC_VIEW'),
 			iff(isProvider('external'), getRestrictPopulatesHook(populateWhitelist)),
-			iff(isProvider('external'), restrictToUsersCoursesLessons),
+			iff(isProvider('external'), restrictToUsersCoursesLessons, restrictToUsersDraftLessons),
 		],
 		create: [
 			checkIfCourseGroupLesson.bind(this, 'COURSEGROUP_CREATE', 'TOPIC_CREATE', true),
@@ -254,7 +267,7 @@ exports.before = () => {
 			iff(isProvider('external'), preventPopulate),
 			permitGroupOperation,
 			ifNotLocal(checkCorrectCourseOrTeamId),
-			iff(isProvider('external'), restrictToUsersCoursesLessons),
+			iff(isProvider('external'), restrictToUsersCoursesLessons, restrictToUsersDraftLessons),
 			checkIfCourseGroupLesson.bind(this, 'COURSEGROUP_EDIT', 'TOPIC_EDIT', false),
 		],
 		patch: [