From 87e588cd1f5d27188e73f9434a6d215e50ef98ee Mon Sep 17 00:00:00 2001 From: Jannat Patel Date: Thu, 26 Feb 2026 15:48:21 +0530 Subject: [PATCH] fix: misc permission issues --- lms/lms/api.py | 14 +++++++++++--- lms/lms/doctype/lms_badge/lms_badge.py | 1 + lms/lms/doctype/lms_batch/lms_batch.py | 10 ++++++++++ .../lms_batch_enrollment/lms_batch_enrollment.py | 10 ++++++++++ .../lms_certificate_request.py | 10 ++++++++++ 5 files changed, 42 insertions(+), 3 deletions(-) diff --git a/lms/lms/api.py b/lms/lms/api.py index 69ac3088..f119742e 100644 --- a/lms/lms/api.py +++ b/lms/lms/api.py @@ -799,10 +799,9 @@ def get_announcements(batch: str): is_batch_student = frappe.db.exists( "LMS Batch Enrollment", {"batch": batch, "member": frappe.session.user} ) - is_moderator = "Moderator" in roles - is_evaluator = "Batch Evaluator" in roles + is_admin = "Moderator" in roles or "Batch Evaluator" in roles - if not (is_batch_student or is_moderator or is_evaluator): + if not (is_batch_student or is_admin): frappe.throw( _("You do not have permission to access announcements for this batch."), frappe.PermissionError ) @@ -1309,6 +1308,15 @@ def cancel_evaluation(evaluation: dict): if evaluation.member != frappe.session.user: frappe.throw(_("You do not have permission to cancel this evaluation."), frappe.PermissionError) + if not frappe.db.exists( + "LMS Certificate Request", + { + "name": evaluation.name, + "member": frappe.session.user, + }, + ): + frappe.throw(_("You do not have permission to cancel this evaluation."), frappe.PermissionError) + frappe.db.set_value("LMS Certificate Request", evaluation.name, "status", "Cancelled") events = frappe.get_all( "Event Participants", diff --git a/lms/lms/doctype/lms_badge/lms_badge.py b/lms/lms/doctype/lms_badge/lms_badge.py index f87f3d7c..d8b958f5 100644 --- a/lms/lms/doctype/lms_badge/lms_badge.py +++ b/lms/lms/doctype/lms_badge/lms_badge.py @@ -63,6 +63,7 @@ def eval_condition(doc, condition): @frappe.whitelist() def assign_badge(badge_name: str): + frappe.only_for(["Moderator", "Course Creator", "Batch Evaluator"]) assignments = [] badge = frappe.db.get_value( "LMS Badge", diff --git a/lms/lms/doctype/lms_batch/lms_batch.py b/lms/lms/doctype/lms_batch/lms_batch.py index e34c8366..6ac92276 100644 --- a/lms/lms/doctype/lms_batch/lms_batch.py +++ b/lms/lms/doctype/lms_batch/lms_batch.py @@ -286,6 +286,16 @@ def authenticate(zoom_account): @frappe.whitelist() def get_batch_timetable(batch: str): + roles = frappe.get_roles() + is_batch_student = frappe.db.exists( + "LMS Batch Enrollment", {"batch": batch, "member": frappe.session.user} + ) + is_admin = "Moderator" in roles or "Batch Evaluator" in roles + if not (is_batch_student or is_admin): + frappe.throw( + _("You do not have permission to access announcements for this batch."), frappe.PermissionError + ) + timetable = frappe.get_all( "LMS Batch Timetable", filters={"parent": batch}, diff --git a/lms/lms/doctype/lms_batch_enrollment/lms_batch_enrollment.py b/lms/lms/doctype/lms_batch_enrollment/lms_batch_enrollment.py index d789e0a7..86058741 100644 --- a/lms/lms/doctype/lms_batch_enrollment/lms_batch_enrollment.py +++ b/lms/lms/doctype/lms_batch_enrollment/lms_batch_enrollment.py @@ -110,6 +110,16 @@ def send_confirmation_email(doc: Document): if isinstance(doc, str): doc = frappe._dict(json.loads(doc)) + roles = frappe.get_roles() + is_admin = "Moderator" in roles or "Batch Evaluator" in roles + is_member = doc.member == frappe.session.user + + if not is_member and not is_admin: + frappe.throw( + _("You do not have permission to send confirmation emails for this enrollment."), + frappe.PermissionError, + ) + if not doc.confirmation_email_sent: outgoing_email_account = frappe.get_cached_value( "Email Account", {"default_outgoing": 1, "enable_outgoing": 1}, "name" diff --git a/lms/lms/doctype/lms_certificate_request/lms_certificate_request.py b/lms/lms/doctype/lms_certificate_request/lms_certificate_request.py index 7d56a60c..af3a0122 100644 --- a/lms/lms/doctype/lms_certificate_request/lms_certificate_request.py +++ b/lms/lms/doctype/lms_certificate_request/lms_certificate_request.py @@ -170,6 +170,16 @@ def setup_calendar_event(eval: str): if isinstance(eval, str): eval = frappe._dict(json.loads(eval)) + is_member = eval.member == frappe.session.user + roles = frappe.get_roles(frappe.session.user) + is_admin = "Moderator" in roles or "Batch Evaluator" in roles + + if not is_member and not is_admin: + frappe.throw( + _("You do not have permission to set up calendar events for this evaluation."), + frappe.PermissionError, + ) + calendar = frappe.db.get_value("Google Calendar", {"user": eval.evaluator, "enable": 1}, "name") if calendar: