From c961923fa07c62d3ae67391b08ce4bd69df241d7 Mon Sep 17 00:00:00 2001
From: Jannat Patel <pateljannat2308@gmail.com>
Date: Thu, 19 Feb 2026 12:43:50 +0530
Subject: [PATCH] fix: verify enrollment and admin access before returing batch
 assessment data

---
 lms/lms/utils.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lms/lms/utils.py b/lms/lms/utils.py
index 84e387cd..c336b19b 100644
--- a/lms/lms/utils.py
+++ b/lms/lms/utils.py
@@ -1240,6 +1240,10 @@ def get_batch_courses(batch: str) -> list:
 @frappe.whitelist()
 def get_assessments(batch: str) -> list:
 	member = frappe.session.user
+	is_enrolled = frappe.db.exists("LMS Batch Enrollment", {"batch": batch, "member": member})
+	if not is_enrolled and not can_modify_batch(batch):
+		frappe.throw(_("You are not authorized to view the assessments of this batch."))
+
 	assessments = frappe.get_all(
 		"LMS Assessment",
 		{"parent": batch},