From 1f8e76d68b1591a68d1f462c89929c18681ba97b Mon Sep 17 00:00:00 2001
From: Steffen Jost <jost@tcs.ifi.lmu.de>
Date: Fri, 7 Oct 2022 17:49:38 +0200
Subject: [PATCH] chore(supervisor): adding a supervisor auth tag WIP

---
 .../settings/auth_settings/de-de-formal.msg    |  1 +
 .../settings/auth_settings/en-eu.msg           |  1 +
 routes                                         | 18 +++++++++---------
 src/Handler/LMS.hs                             |  2 +-
 src/Model/Types/Security.hs                    |  1 +
 5 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/messages/uniworx/categories/settings/auth_settings/de-de-formal.msg b/messages/uniworx/categories/settings/auth_settings/de-de-formal.msg
index 95f1a6d85..e7cce8c1d 100644
--- a/messages/uniworx/categories/settings/auth_settings/de-de-formal.msg
+++ b/messages/uniworx/categories/settings/auth_settings/de-de-formal.msg
@@ -54,3 +54,4 @@ AuthTagSubmissionGroup: Nutzer:in ist Mitglied in registrierter Abgabegruppe
 AuthTagWorkflow: Nutzer:in hat passende Workflow-Rolle
 AuthTagStudent: Nutzer:in ist Student:in
 AuthTagExamTime: Zeitliche Einschränkungen durch relevante Prüfung sind erfüllt
+AuthTagSupervisor: Nutzer:in ist Ansprechpartner für jemand anderes
\ No newline at end of file
diff --git a/messages/uniworx/categories/settings/auth_settings/en-eu.msg b/messages/uniworx/categories/settings/auth_settings/en-eu.msg
index 98dcfe1ac..b66c53d1b 100644
--- a/messages/uniworx/categories/settings/auth_settings/en-eu.msg
+++ b/messages/uniworx/categories/settings/auth_settings/en-eu.msg
@@ -54,3 +54,4 @@ AuthTagSubmissionGroup: User is part of a submission group
 AuthTagWorkflow: User has matching workflow role
 AuthTagStudent: User is a student
 AuthTagExamTime: Exam time restrictions are satisfied
+AuthTagSupervisor: User is supervisor for someone else
diff --git a/routes b/routes
index 750a1703a..b44324da6 100644
--- a/routes
+++ b/routes
@@ -92,8 +92,8 @@
 /user/lang                 LangR                   POST         !free
 /user/storage-key          StorageKeyR             POST         !free
 
--- /user/for/#CryptoUUIDUser         ForProfileR       GET POST    !supervisor
--- /user/profile/for/#CryptoUUIDUser ForProfuleDataR   GET         !supervisor
+/user/for/#CryptoUUIDUser         ForProfileR       GET POST    !supervisor
+/user/profile/for/#CryptoUUIDUser ForProfuleDataR   GET         !supervisor
 
 
 /exam-office               ExamOfficeR                         !exam-office:
@@ -278,14 +278,14 @@
 /lms/#SchoolId/#QualificationShorthand                  LmsR  				        GET POST  !free -- TODO verify that this is ok
 /lms/#SchoolId/#QualificationShorthand/edit             LmsEditR			        GET POST
 /lms/#SchoolId/#QualificationShorthand/users            LmsUsersR	            GET
-/lms/#SchoolId/#QualificationShorthand/users/direct     LmsUsersDirectR	      GET
+/lms/#SchoolId/#QualificationShorthand/users/direct     LmsUsersDirectR	      GET       !development
 /lms/#SchoolId/#QualificationShorthand/userlist         LmsUserlistR	        GET POST
-/lms/#SchoolId/#QualificationShorthand/userlist/upload  LmsUserlistUploadR	  GET POST
-/lms/#SchoolId/#QualificationShorthand/userlist/direct  LmsUserlistDirectR	      POST
-/lms/#SchoolId/#QualificationShorthand/result           LmsResultR            GET POST
-/lms/#SchoolId/#QualificationShorthand/result/upload    LmsResultUploadR      GET POST
-/lms/#SchoolId/#QualificationShorthand/result/direct    LmsResultDirectR          POST
-/lms/#SchoolId/#QualificationShorthand/fake             LmsFakeR              GET POST -- TODO: delete this testing URL
+/lms/#SchoolId/#QualificationShorthand/userlist/upload  LmsUserlistUploadR	  GET POST  !development
+/lms/#SchoolId/#QualificationShorthand/userlist/direct  LmsUserlistDirectR	      POST  !token
+/lms/#SchoolId/#QualificationShorthand/result           LmsResultR            GET POST  
+/lms/#SchoolId/#QualificationShorthand/result/upload    LmsResultUploadR      GET POST  !development
+/lms/#SchoolId/#QualificationShorthand/result/direct    LmsResultDirectR          POST  !token
+/lms/#SchoolId/#QualificationShorthand/fake             LmsFakeR              GET POST  !development -- TODO: delete this testing URL
 
 /api           ApiDocsR              GET      !free
 /swagger       SwaggerR              GET      !free
diff --git a/src/Handler/LMS.hs b/src/Handler/LMS.hs
index d75ed1010..8a925bb14 100644
--- a/src/Handler/LMS.hs
+++ b/src/Handler/LMS.hs
@@ -363,7 +363,7 @@ mkLmsTable (Entity qid quali) acts restrict cols psValidator = do
       pjob <- preview $ _dbtProjRow . resultPrintJob
       forMM_ (view $ _dbtProjFilter . _ltProjFilterMayAccess) $ \b -> do 
         euid <- encrypt $ user ^. _entityKey
-        guardM . lift . lift . fmap (== b) . hasReadAccessTo . urlRoute $ AdminUserR euid -- TODO create a page with proper rights; this is only for admins!        
+        guardM . lift . lift . fmap (== b) . hasReadAccessTo . urlRoute $ ForProfuleDataR euid -- TODO create a page with proper rights; this is only for admins!        
       return (qusr,user,lusr,pjob)
 
     dbtColonnade = cols
diff --git a/src/Model/Types/Security.hs b/src/Model/Types/Security.hs
index 2d7915795..8a40f084a 100644
--- a/src/Model/Types/Security.hs
+++ b/src/Model/Types/Security.hs
@@ -115,6 +115,7 @@ data AuthTag -- sortiert nach gewünschter Reihenfolge auf /authpreds, d.h. Prä
   | AuthToken
   | AuthDeprecated
   | AuthDevelopment
+  | AuthSupervisor
   | AuthFree
   deriving (Eq, Ord, Enum, Bounded, Read, Show, Data, Generic, Typeable)
   deriving anyclass (Universe, Finite, Hashable, NFData)