fix(course-news): fix permissions

src/Foundation.hs

@@ -1129,13 +1129,13 @@ tagAccessPredicate AuthAllocationRegistered = APDB $ \mAuthId route _ -> case ro
   r -> $unsupportedAuthPredicate AuthAllocationRegistered r
 tagAccessPredicate AuthParticipant = APDB $ \mAuthId route _ -> case route of
   CNewsR tid ssh csh cID _ -> maybeT (unauthorizedI MsgUnauthorizedCourseNewsParticipant) $ do
-    uid <- hoistMaybe mAuthId
     nId <- catchIfMaybeT (const True :: CryptoIDError -> Bool) $ decrypt cID
     CourseNews{courseNewsParticipantsOnly} <- $cachedHereBinary nId . MaybeT $ get nId
-    if | courseNewsParticipantsOnly
-         -> exceptT return (const mzero) . hoist lift $ isCourseParticipant tid ssh csh uid
+    if | courseNewsParticipantsOnly -> do
+           uid <- hoistMaybe mAuthId
+           exceptT return (const mzero) . hoist lift $ isCourseParticipant tid ssh csh uid
        | otherwise
-         -> return Authorized
+           -> return Authorized
 
   CourseR tid ssh csh (CUserR cID) -> exceptT return return $ do
     participant <- catchIfMExceptT (const $ unauthorizedI MsgUnauthorizedParticipant) (const True :: CryptoIDError -> Bool) $ decrypt cID

templates/course.hamlet

@@ -1,6 +1,6 @@
 $newline never
 <dl .deflist>
-  $if not (null news) || not visibleNews
+  $if not (null news) || mayCreateNews
     <dt .deflist__dt>
       _{MsgCourseNews}
       $if not visibleNews