From b09af4f29a366292f2140302de4f3efb5bf23e18 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Tue, 10 Sep 2024 00:38:21 +0100 Subject: [PATCH] fix: Fix permissions check for moving students --- portal/views/teacher/teach.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/portal/views/teacher/teach.py b/portal/views/teacher/teach.py index fa5116d90..66c1b2d68 100644 --- a/portal/views/teacher/teach.py +++ b/portal/views/teacher/teach.py @@ -868,12 +868,13 @@ def teacher_move_students_to_class(request, access_code): def check_if_move_authorised(request, old_class, new_class): - # check user is authorised to deal with class - if request.user.new_teacher != old_class.teacher: - raise Http404 + teacher = request.user.new_teacher - # check teacher authorised to transfer to new class - if request.user.new_teacher.school != new_class.teacher.school: + # check teacher has permission to edit old_class and that both classes + # are in the same school + if ( + not teacher.is_admin and teacher != old_class.teacher + ) or teacher.school != new_class.teacher.school: raise Http404