From d01244e377360f8d942af253a57bf63ab22358e9 Mon Sep 17 00:00:00 2001
From: Julian Leucker <leuckerj@gmail.com>
Date: Wed, 17 Aug 2022 14:16:54 +0200
Subject: [PATCH] Only allow teachers to access the CourseBook

---
 aleksis/apps/alsijil/menus.py |  7 ++++++-
 aleksis/apps/alsijil/rules.py |  5 +++++
 aleksis/apps/alsijil/views.py | 10 +++++-----
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/aleksis/apps/alsijil/menus.py b/aleksis/apps/alsijil/menus.py
index 26ec4f932..f4d6a8956 100644
--- a/aleksis/apps/alsijil/menus.py
+++ b/aleksis/apps/alsijil/menus.py
@@ -18,7 +18,12 @@ MENUS = {
                     "url": "select_coursebook",
                     "svg_icon": "mdi:book-education-outline",
                     "vuetify_icon": "mdi-book-education-outline",
-                    # FIXME: Permissions
+                    "validators": [
+                        (
+                            "aleksis.core.util.predicates.permission_validator",
+                            "alsijil.view_coursebook_rule",
+                        ),
+                    ]
                 },
                 {
                     "name": _("Current lesson"),
diff --git a/aleksis/apps/alsijil/rules.py b/aleksis/apps/alsijil/rules.py
index e9011c6c2..83af497c9 100644
--- a/aleksis/apps/alsijil/rules.py
+++ b/aleksis/apps/alsijil/rules.py
@@ -204,6 +204,11 @@ view_students_list_predicate = view_my_groups_predicate & (
 )
 add_perm("alsijil.view_students_list_rule", view_students_list_predicate)
 
+# View CourseBook
+view_coursebook_predicate = has_person & is_teacher
+add_perm("alsijil.view_coursebook_rule", view_my_students_predicate)
+
+
 # View person overview
 view_person_overview_predicate = has_person & (
     (is_current_person & is_site_preference_set("alsijil", "view_own_personal_notes"))
diff --git a/aleksis/apps/alsijil/views.py b/aleksis/apps/alsijil/views.py
index 3a24d1df6..57ea6b835 100644
--- a/aleksis/apps/alsijil/views.py
+++ b/aleksis/apps/alsijil/views.py
@@ -25,7 +25,7 @@ from django_tables2 import RequestConfig, SingleTableView
 from guardian.core import ObjectPermissionChecker
 from guardian.shortcuts import get_objects_for_user
 from reversion.views import RevisionMixin
-from rules.contrib.views import PermissionRequiredMixin, permission_required, LoginRequiredMixin
+from rules.contrib.views import PermissionRequiredMixin, permission_required
 
 from aleksis.apps.chronos.managers import TimetableType
 from aleksis.apps.chronos.models import (
@@ -1358,19 +1358,19 @@ class AllRegisterObjectsView(PermissionRequiredMixin, View):
         return render(request, "alsijil/class_register/all_objects.html", context)
 
 
-class CoursebookView(LoginRequiredMixin, DetailView):
+class CoursebookView(PermissionRequiredMixin, DetailView):
     model = Lesson
     template_name = "alsijil/class_register/coursebook.html"
-    permission_required = ""  # FIXME
+    permission_required = "alsijil.view_coursebook_rule"
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         return context
 
 
-class SelectCoursebookView(LoginRequiredMixin, TemplateView):
+class SelectCoursebookView(PermissionRequiredMixin, TemplateView):
     template_name = "alsijil/class_register/select_coursebook.html"
-    permission_required = ""  # FIXME
+    permission_required = "alsijil.view_coursebook_rule"  # FIXME
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-- 
GitLab