fix: misc permission issues

lms/lms/api.py

@@ -799,10 +799,9 @@ def get_announcements(batch: str):
 	is_batch_student = frappe.db.exists(
 		"LMS Batch Enrollment", {"batch": batch, "member": frappe.session.user}
 	)
-	is_moderator = "Moderator" in roles
-	is_evaluator = "Batch Evaluator" in roles
+	is_admin = "Moderator" in roles or "Batch Evaluator" in roles
 
-	if not (is_batch_student or is_moderator or is_evaluator):
+	if not (is_batch_student or is_admin):
 		frappe.throw(
 			_("You do not have permission to access announcements for this batch."), frappe.PermissionError
 		)
@@ -1309,6 +1308,15 @@ def cancel_evaluation(evaluation: dict):
 	if evaluation.member != frappe.session.user:
 		frappe.throw(_("You do not have permission to cancel this evaluation."), frappe.PermissionError)
 
+	if not frappe.db.exists(
+		"LMS Certificate Request",
+		{
+			"name": evaluation.name,
+			"member": frappe.session.user,
+		},
+	):
+		frappe.throw(_("You do not have permission to cancel this evaluation."), frappe.PermissionError)
+
 	frappe.db.set_value("LMS Certificate Request", evaluation.name, "status", "Cancelled")
 	events = frappe.get_all(
 		"Event Participants",

lms/lms/doctype/lms_badge/lms_badge.py

@@ -63,6 +63,7 @@ def eval_condition(doc, condition):
 
 @frappe.whitelist()
 def assign_badge(badge_name: str):
+	frappe.only_for(["Moderator", "Course Creator", "Batch Evaluator"])
 	assignments = []
 	badge = frappe.db.get_value(
 		"LMS Badge",

lms/lms/doctype/lms_batch/lms_batch.py

@@ -286,6 +286,16 @@ def authenticate(zoom_account):
 
 @frappe.whitelist()
 def get_batch_timetable(batch: str):
+	roles = frappe.get_roles()
+	is_batch_student = frappe.db.exists(
+		"LMS Batch Enrollment", {"batch": batch, "member": frappe.session.user}
+	)
+	is_admin = "Moderator" in roles or "Batch Evaluator" in roles
+	if not (is_batch_student or is_admin):
+		frappe.throw(
+			_("You do not have permission to access announcements for this batch."), frappe.PermissionError
+		)
+
 	timetable = frappe.get_all(
 		"LMS Batch Timetable",
 		filters={"parent": batch},

lms/lms/doctype/lms_batch_enrollment/lms_batch_enrollment.py

@@ -110,6 +110,16 @@ def send_confirmation_email(doc: Document):
 	if isinstance(doc, str):
 		doc = frappe._dict(json.loads(doc))
 
+	roles = frappe.get_roles()
+	is_admin = "Moderator" in roles or "Batch Evaluator" in roles
+	is_member = doc.member == frappe.session.user
+
+	if not is_member and not is_admin:
+		frappe.throw(
+			_("You do not have permission to send confirmation emails for this enrollment."),
+			frappe.PermissionError,
+		)
+
 	if not doc.confirmation_email_sent:
 		outgoing_email_account = frappe.get_cached_value(
 			"Email Account", {"default_outgoing": 1, "enable_outgoing": 1}, "name"

lms/lms/doctype/lms_certificate_request/lms_certificate_request.py

@@ -170,6 +170,16 @@ def setup_calendar_event(eval: str):
 	if isinstance(eval, str):
 		eval = frappe._dict(json.loads(eval))
 
+	is_member = eval.member == frappe.session.user
+	roles = frappe.get_roles(frappe.session.user)
+	is_admin = "Moderator" in roles or "Batch Evaluator" in roles
+
+	if not is_member and not is_admin:
+		frappe.throw(
+			_("You do not have permission to set up calendar events for this evaluation."),
+			frappe.PermissionError,
+		)
+
 	calendar = frappe.db.get_value("Google Calendar", {"user": eval.evaluator, "enable": 1}, "name")
 
 	if calendar: