From f76f6303a1294bd46d11d126a2df5149834964a4 Mon Sep 17 00:00:00 2001
From: Jakob Dieterle <jakob.dieterle@stud.uni-goettingen.de>
Date: Mon, 12 Jul 2021 14:39:45 +0200
Subject: [PATCH] tutors can now only access participants from their groups
 again.

---
 core/tests/test_student_reviewer_viewset.py | 4 ++--
 core/views/common_views.py                  | 5 ++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/core/tests/test_student_reviewer_viewset.py b/core/tests/test_student_reviewer_viewset.py
index ffbdac9d..b351f866 100644
--- a/core/tests/test_student_reviewer_viewset.py
+++ b/core/tests/test_student_reviewer_viewset.py
@@ -93,10 +93,10 @@ class StudentPageTests(APITestCase):
         self.assertEqual(3, len(self.rev_response.data))
 
     @override_config(EXERCISE_MODE=True)
-    def test_tutor_can_only_see_students_when_in_exercise_mode(self):
+    def test_tutor_can_only_see_group_members_when_in_exercise_mode(self):
         force_authenticate(self.request, user=self.tutor)
         response = self.view(self.request)
-        self.assertEqual(3, len(response.data))
+        self.assertEqual(2, len(response.data))
 
     def test_submissions_score_is_included(self):
         res_with_sub = None
diff --git a/core/views/common_views.py b/core/views/common_views.py
index 324d3350..ad6318b1 100644
--- a/core/views/common_views.py
+++ b/core/views/common_views.py
@@ -82,7 +82,10 @@ class StudentReviewerApiViewSet(viewsets.ReadOnlyModelViewSet):
             return queryset
 
         elif self.request.user.is_tutor() and config.EXERCISE_MODE:
-            return queryset
+            return queryset.filter(
+                user__exercise_groups__in=self.request.user.exercise_groups.all()
+            )
+
 
         else:
             return []
-- 
GitLab