Changeset 3818

Timestamp:

15 Dec 2008, 15:31:55 (16 years ago)

Author:

Henrik Bettermann

Message:

lecturer_course_edit.py: resolve ticket Schools #2, member_id must be identical with lecturer_id of course

customize getLecturerCourseResults.py and lecturer_students_list.pt

Location:

WAeUP_SRP/trunk/skins

Files:

• waeup_ois/getLecturerCourseResults.py (added)
• waeup_ois/lecturer_students_list.pt (added)
• waeup_student/lecturer_course_edit.py (modified) (3 diffs)

WAeUP_SRP/trunk/skins/waeup_student/lecturer_course_edit.py

@@ -9 +9 @@
 # $Id: course_edit.py 1071 2006-12-16 15:53:13Z joachim $
 """
-This method is for demonstration purposes only.
-There is noi security to deter lecturers from editing courses they are not allowed to edit.
 """
 try:
@@ -34 +32 @@
 requested_id = context.getStudentId()
 if not 'Lecturers' in groups and not context.isSectionOfficer():
-    logger.info('%s tried to access course result of %s' % (member_id,requested_id))
+    logger.info('%s tried to access course result of %s but is not a lecturer' % (member_id,requested_id))
     return REQUEST.RESPONSE.redirect("%s/srp_anonymous_view" % context.portal_url())
 
@@ -48 +46 @@
 mode = 'edit'
 object = {}
-course = course_results[0]
+course_result = course_results[0]
+course = context.courses_catalog(code=course_id)[0]
+lecturer_id = getattr(course,'lecturer',None)
+#set_trace()
+if str(lecturer_id) != member_id:
+    logger.info('%s tried to access course result %s of %s but is not a lecturer of this course' % (member_id,course_id,requested_id))
+    return REQUEST.RESPONSE.redirect("%s/srp_anonymous_view" % context.portal_url())
+
 for field in context.course_results.schema():
-    object[field] = getattr(course,field,None)
+    object[field] = getattr(course_result,field,None)
     if repr(object[field]) == 'Missing.Value':
         object[field] = None
-#set_trace()     
+     
 lt = context.portal_layouts
 res,psm, ds = lt.renderLayout(schema_id = 'student_course_result',