fix: verify enrollment and admin access before returing batch assessment data

2026-02-19 12:43:50 +05:30
parent 72cee75474
commit c961923fa0
1 changed files with 4 additions and 0 deletions
--- a/lms/lms/utils.py
+++ b/lms/lms/utils.py
@@ -1240,6 +1240,10 @@ def get_batch_courses(batch: str) -> list:
@frappe.whitelist()
 def get_assessments(batch: str) -> list:
 	member = frappe.session.user
+	is_enrolled = frappe.db.exists("LMS Batch Enrollment", {"batch": batch, "member": member})
+	if not is_enrolled and not can_modify_batch(batch):
+		frappe.throw(_("You are not authorized to view the assessments of this batch."))
+
 	assessments = frappe.get_all(
 		"LMS Assessment",
 		{"parent": batch},