From 7e683f8b4406d383dc80a418269dd169d373cbcd Mon Sep 17 00:00:00 2001
From: Jannat Patel <pateljannat2308@gmail.com>
Date: Mon, 16 Feb 2026 18:20:02 +0530
Subject: [PATCH] fix: permission checks for api

---
 lms/lms/api.py   |  3 ++-
 lms/lms/utils.py | 14 ++++++++------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/lms/lms/api.py b/lms/lms/api.py
index 00097e83..9768b174 100644
--- a/lms/lms/api.py
+++ b/lms/lms/api.py
@@ -1511,6 +1511,7 @@ def validate_meta_data_permissions(meta_type: str):
 
 @frappe.whitelist()
 def create_programming_exercise_submission(exercise: str, submission: str, code: str, test_cases: list):
+	frappe.only_for(["Moderator", "Course Creator", "Batch Evaluator"])
 	if submission == "new":
 		return make_new_exercise_submission(exercise, code, test_cases)
 	else:
@@ -2037,7 +2038,7 @@ def get_upcoming_batches():
 
 @frappe.whitelist()
 def delete_programming_exercise(exercise: str):
-	frappe.only_for(["Moderator", "Course Creator"])
+	frappe.only_for(["Moderator", "Course Creator", "Batch Evaluator"])
 	frappe.db.delete("LMS Programming Exercise Submission", {"exercise": exercise})
 	frappe.db.delete("LMS Programming Exercise", exercise)
 
diff --git a/lms/lms/utils.py b/lms/lms/utils.py
index 6862abf6..56ff7258 100644
--- a/lms/lms/utils.py
+++ b/lms/lms/utils.py
@@ -1010,12 +1010,7 @@ def get_lesson(course: str, chapter: int, lesson: int) -> dict:
 		as_dict=1,
 	)
 
-	if (
-		not lesson_details.include_in_preview
-		and not membership
-		and not has_moderator_role()
-		and not is_instructor(course)
-	):
+	if not lesson_details.include_in_preview and not membership and not can_modify_course(course):
 		return {
 			"no_preview": 1,
 			"title": lesson_details.title,
@@ -2050,6 +2045,13 @@ def get_program_details(program_name: str) -> dict:
 	if not guest_access_allowed():
 		frappe.throw(_("Please login to view program details."))
 
+	is_published = frappe.db.get_value("LMS Program", program_name, "published")
+	is_member = frappe.db.exists(
+		"LMS Program Member", {"parent": program_name, "member": frappe.session.user}
+	)
+	if not is_published and not is_member:
+		frappe.throw(_("You are not authorized to view the details of this program."))
+
 	program = frappe.db.get_value(
 		"LMS Program",
 		program_name,