From 6f04a6b693e99b573efcc94023dab0be4d6d83bb Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gregor.kleen@ifi.lmu.de>
Date: Tue, 1 Jun 2021 18:09:21 +0200
Subject: [PATCH] fix(auth): properly restrict various auth by school

---
 src/Foundation/Authorization.hs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Foundation/Authorization.hs b/src/Foundation/Authorization.hs
index ff547456f..a4ca5385a 100644
--- a/src/Foundation/Authorization.hs
+++ b/src/Foundation/Authorization.hs
@@ -538,7 +538,7 @@ tagAccessPredicate AuthAdmin = cacheAPSchoolFunction SchoolAdmin (Just $ Right d
       -- Schools: access only to school admins
       SchoolR ssh _ -> $cachedHereBinary (mAuthId, ssh) . exceptT return return $ do
         authId <- maybeExceptT AuthenticationRequired $ return mAuthId
-        isAdmin <- lift $ exists [UserFunctionUser ==. authId, UserFunctionFunction ==. SchoolAdmin]
+        isAdmin <- lift . existsBy $ UniqueUserFunction authId ssh SchoolAdmin
         guardMExceptT isAdmin (unauthorizedI MsgUnauthorizedSchoolAdmin)
         return Authorized
       -- other routes: access to any admin is granted here
@@ -608,8 +608,8 @@ tagAccessPredicate AuthExamOffice = cacheAPSchoolFunction SchoolExamOffice (Just
         return Authorized
       SchoolR ssh _ -> $cachedHereBinary (mAuthId, ssh) . exceptT return return $ do
         authId <- maybeExceptT AuthenticationRequired $ return mAuthId
-        isAdmin <- lift $ exists [UserFunctionUser ==. authId, UserFunctionFunction ==. SchoolExamOffice]
-        guardMExceptT isAdmin (unauthorizedI MsgUnauthorizedSchoolExamOffice)
+        isExamOffice <- lift . existsBy $ UniqueUserFunction authId ssh SchoolExamOffice
+        guardMExceptT isExamOffice (unauthorizedI MsgUnauthorizedSchoolExamOffice)
         return Authorized
       _other -> $cachedHereBinary mAuthId . exceptT return return $ do
         authId <- maybeExceptT AuthenticationRequired $ return mAuthId