search

hacklabr / timtec

MOOC platform built with Django and Angular to deliver and manage courses, classes and student activities
GNU Affero General Public License v3.0
73 stars 64 forks source link

ClassViewSet retorna todos os resultados se usuário não tiver nenhum role configurado #620

Open laurybueno opened 7 years ago

laurybueno commented 7 years ago

Problema aparece no get_queryset da classe

timtec/core/views.py

    def get_queryset(self):
        queryset = super(ClassViewSet, self).get_queryset()
        if self.request.user.is_staff or self.request.user.is_superuser:
            return queryset

        course_id = self.request.query_params.get('course')
        if course_id:
            try:
                role = self.request.user.teaching_courses.get(course__id=course_id).role
            except ObjectDoesNotExist:
                role = ''
            # if user is not coordinator or admin, only show his classes
            if not role or role == 'assistant':
                queryset = queryset.filter(assistant=self.request.user)

        return queryset