codeforlife-portal 8.7.0__py2.py3-none-any.whl → 8.7.1__py2.py3-none-any.whl

{codeforlife_portal-8.7.0.dist-info → codeforlife_portal-8.7.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeforlife-portal
-Version: 8.7.0
+Version: 8.7.1
 Classifier: Programming Language :: Python
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Framework :: Django
@@ -8,7 +8,7 @@ Description-Content-Type: text/markdown
 License-File: LICENSE.md
 Requires-Dist: asgiref==3.8.1; python_version >= "3.8"
 Requires-Dist: certifi==2025.4.26; python_version >= "3.6"
-Requires-Dist: cfl-common==8.7.0
+Requires-Dist: cfl-common==8.7.1
 Requires-Dist: chardet==5.2.0; python_version >= "3.7"
 Requires-Dist: charset-normalizer==3.4.2; python_version >= "3.7"
 Requires-Dist: diff-match-patch==20241021; python_version >= "3.7"
@@ -60,7 +60,7 @@ Requires-Dist: asttokens==3.0.0; python_version >= "3.8" and extra == "dev"
 Requires-Dist: attrs==25.3.0; python_version >= "3.8" and extra == "dev"
 Requires-Dist: black==25.1.0; python_version >= "3.9" and extra == "dev"
 Requires-Dist: certifi==2025.4.26; python_version >= "3.6" and extra == "dev"
-Requires-Dist: cfl-common==8.7.0; extra == "dev"
+Requires-Dist: cfl-common==8.7.1; extra == "dev"
 Requires-Dist: charset-normalizer==3.4.2; python_version >= "3.7" and extra == "dev"
 Requires-Dist: click==8.1.8; python_version >= "3.7" and extra == "dev"
 Requires-Dist: coverage[toml]==7.8.0; python_version >= "3.9" and extra == "dev"

{codeforlife_portal-8.7.0.dist-info → codeforlife_portal-8.7.1.dist-info}/RECORD

@@ -87,7 +87,7 @@ cfl_common/common/tests/utils/organisation.py,sha256=vNgKFtU3VPcWRnZfh82yCS90PLA
 cfl_common/common/tests/utils/student.py,sha256=PLd980iSlxmMoB8J3C2pVjNC5xHdVxfAkJXzhv_dRhg,3814
 cfl_common/common/tests/utils/teacher.py,sha256=KQ_NAl4yQqiX_zwcULQjkovc29JPhnkLR5Nk3Ljzbpg,2661
 cfl_common/common/tests/utils/user.py,sha256=NvLzZLVP4jy5Hn1iztOYF_BTQ9WsbSmuWMEzGzhAsRU,919
-codeforlife_portal-8.7.0.dist-info/licenses/LICENSE.md,sha256=9AbRlCDqD2D1tPibimysFv3zg3AIc49-eyv9aEsyq9w,115
+codeforlife_portal-8.7.1.dist-info/licenses/LICENSE.md,sha256=9AbRlCDqD2D1tPibimysFv3zg3AIc49-eyv9aEsyq9w,115
 deploy/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 deploy/captcha.py,sha256=MbOBuGnbT_SOIltSjP1XMOLrfo1DldCilaVAEim0vM4,23
 deploy/views.py,sha256=7mY2zNPkaBFrlWGByJHp2zFqHIHSMc0YArjE_sFWMMU,131
@@ -111,7 +111,7 @@ example_project/portal_test_settings.py,sha256=AaXwSSB2A6qu6My_7cBciQa_jONy084uq
 example_project/settings.py,sha256=RRSHhAgJVDn4uNZG395V6_Td7jwsSaBGNwQBZ_KJm0Y,5973
 example_project/urls.py,sha256=FUTzHPlUS1O5kqMHjL5V4L552N2ln7uTDXcw9wjKUto,422
 example_project/wsgi.py,sha256=U1W6WzZxZaIdYZ5tks7w9fqp5WS5qvn2iThsVcskrWw,829
-portal/__init__.py,sha256=nW2S9cxog2B_2xeN534jt1o6PE7ow-7Hd0PLILs5K5o,22
+portal/__init__.py,sha256=a3FQRJoDSFET9iDvdpENKACBRF5lwOJHqpR4Y9QjQY4,22
 portal/admin.py,sha256=RKJizTF6dPJKmGPZw7nZUM0X8jkiTjgyKhLQxtvHJ0I,6148
 portal/app_settings.py,sha256=DhWLQOwM0zVOXE3O5TNKbMM9K6agfLuCsHOdr1J7xEI,651
 portal/backends.py,sha256=2Dss6_WoQwPuDzJUF1yEaTQTNG4eUrD12ujJQ5cp5Tc,812
@@ -541,7 +541,7 @@ portal/tests/test_emails.py,sha256=pLr06j3uMBxP1raoZQWzUTBVFvsEDFtUh85J8OnqCwE,9
 portal/tests/test_global_forms.py,sha256=GIm_oSN4VsfaO--E2SMRu8CwVraan0UBj-_LE_tu8w0,833
 portal/tests/test_helper_methods.py,sha256=-SQCDZm2XUtyXGEp0CHIb_SSC9CPD-XOSnpnY8QclHk,890
 portal/tests/test_independent_student.py,sha256=NrRjTEr6V4WXpCE74N8LYNVocvLSvddkjuo3dYpfAZc,27245
-portal/tests/test_invite_teacher.py,sha256=QKHWVzyd5OLpTOQ0j8p9ZF6DSCWPHcWHZwCpNTFG_6o,12320
+portal/tests/test_invite_teacher.py,sha256=hynk2p63URQocCS8N6-IQnQWkdzggQ-1jGDuWcRSY_Y,14902
 portal/tests/test_middleware.py,sha256=HV7AdgWyvgrtPyDMw3np5YDbUstFpKif7Qqw-e8gs5s,8258
 portal/tests/test_organisation.py,sha256=kCMUNzLN6EzaMUBcFkqXwnqLGgOuQxQWIHHt63nhqBs,7574
 portal/tests/test_partials.py,sha256=cSLNLjdsriROjPxkZlM3HKD3CSKDuKgpaDIdL3fPyBs,1794
@@ -628,13 +628,13 @@ portal/views/student/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hS
 portal/views/student/edit_account_details.py,sha256=Ba-3D_zzKbX5N01NG5qqBS0ud10B8D5SN8hOpLiGa9U,8468
 portal/views/student/play.py,sha256=GMxk65bxWOe1Ds2kb6rvuOd1GoAtt5v_9AihLNXoUL0,8768
 portal/views/teacher/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-portal/views/teacher/dashboard.py,sha256=Y6OhT7h4hgNZAEDZDJP86F7SjrL8W12t0rpHipSYgSQ,27977
+portal/views/teacher/dashboard.py,sha256=Z5PGmyEmNSltCPMzADq2tUN66LHPVrdrtgdMgvPlrkk,28119
 portal/views/teacher/teach.py,sha256=IXlvsJ_1pX7oSr2SMWdWWC7aCFDA38IgxAoHzy_HHp4,36850
 portal/views/two_factor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 portal/views/two_factor/core.py,sha256=Lk32z2SN2Pg0rRkK-N-LXMvXC1kKKsH3l692kiSDQ4E,964
 portal/views/two_factor/form.py,sha256=lnHNKI-BMlpncTuW3zUzjPaJJNuEra2I_nOam0eOKFY,257
 portal/views/two_factor/profile.py,sha256=SHSg_xHccE5PtD-OfuOkYhREYz_er4bj5ro1RjJ88Yw,393
-codeforlife_portal-8.7.0.dist-info/METADATA,sha256=7qpquiwQ0MoxSQLDR-I_zYAtbxZ_WQJARb6jUe3mDeE,12318
-codeforlife_portal-8.7.0.dist-info/WHEEL,sha256=JNWh1Fm1UdwIQV075glCn4MVuCRs0sotJIq-J6rbxCU,109
-codeforlife_portal-8.7.0.dist-info/top_level.txt,sha256=8e5pdsuIoTqEAMqpelHBjGjLbffcBtgOoggmd2q7nMw,41
-codeforlife_portal-8.7.0.dist-info/RECORD,,
+codeforlife_portal-8.7.1.dist-info/METADATA,sha256=obJATb8BqSwTeVWDexVXJ5bM8Rid-sCKkyCIjbRAwC0,12318
+codeforlife_portal-8.7.1.dist-info/WHEEL,sha256=JNWh1Fm1UdwIQV075glCn4MVuCRs0sotJIq-J6rbxCU,109
+codeforlife_portal-8.7.1.dist-info/top_level.txt,sha256=8e5pdsuIoTqEAMqpelHBjGjLbffcBtgOoggmd2q7nMw,41
+codeforlife_portal-8.7.1.dist-info/RECORD,,

portal/__init__.py

@@ -1 +1 @@
-__version__ = "8.7.0"
+__version__ = "8.7.1"

portal/tests/test_invite_teacher.py

@@ -5,7 +5,7 @@ from uuid import uuid4
 import pytest
 from common.models import SchoolTeacherInvitation, Teacher
 from common.tests.utils.classes import create_class_directly
-from common.tests.utils.organisation import create_organisation_directly
+from common.tests.utils.organisation import create_organisation_directly, join_teacher_to_organisation
 from common.tests.utils.teacher import signup_teacher_directly
 from django.contrib.messages import get_messages
 from django.core import mail
@@ -149,8 +149,66 @@ class TestInviteTeacher(TestCase):
             "access this page."
         )
 
+    def test_invite_permissions(self):
+        # Create an admin and a standard teacher in the same school
+        admin_email, admin_password = signup_teacher_directly()
+        school = create_organisation_directly(admin_email)
+        create_class_directly(admin_email)
+
+        standard_email, standard_password = signup_teacher_directly()
+        join_teacher_to_organisation(standard_email, school.name)
+        create_class_directly(standard_email)
+
+        # Log in as standard teacher, try inviting a teacher, no invitation should be created
+        client = Client()
+        client.login(username=standard_email, password=standard_password)
+
+        dashboard_url = reverse("dashboard")
+        data = {
+            "teacher_first_name": "Valid",
+            "teacher_last_name": "Name",
+            "teacher_email": "new@teacher.com",
+            "invite_teacher": "",
+        }
+
+        response = client.post(dashboard_url, data)
+
+        assert response.status_code == 200
+        messages = list(response.context["messages"])
+        assert len(messages) == 0
+        assert len(mail.outbox) == 0
+        client.logout()
+
+        assert not SchoolTeacherInvitation.objects.filter(invited_teacher_email="new@teacher.com").exists()
+
+        # Log in as admin teacher to invite a teacher
+        client.login(username=admin_email, password=admin_password)
+
+        dashboard_url = reverse("dashboard")
+        data = {
+            "teacher_first_name": "Valid",
+            "teacher_last_name": "Name",
+            "teacher_email": "new@teacher.com",
+            "invite_teacher": "",
+        }
+
+        client.post(dashboard_url, data)
+        client.logout()
+
+        assert SchoolTeacherInvitation.objects.filter(invited_teacher_email="new@teacher.com").exists()
+        invite =  SchoolTeacherInvitation.objects.get(invited_teacher_email="new@teacher.com")
+
+        # Log in as standard teacher, try resending and deleting the invitation, both should fail
+        client.login(username=standard_email, password=standard_password)
+
+        response = client.post(reverse("resend_invite_teacher", kwargs={"token": invite.token}))
+        message = list(response.wsgi_request._messages)[0].message
+        assert message == "You do not have permission to perform this action or the invite does not exist"
+
+        response = client.post(reverse("delete_teacher_invite", kwargs={"token": invite.token}))
+        message = list(response.wsgi_request._messages)[0].message
+        assert message == "You do not have permission to perform this action or the invite does not exist"
 
-class TestTeacherInviteAPI(TestCase):
     def test_delete_exception(self):
         email, password = signup_teacher_directly()
         create_organisation_directly(email)

portal/views/teacher/dashboard.py

@@ -29,6 +29,7 @@ from django.utils import timezone
 from django.views.decorators.http import require_POST
 from game.level_management import levels_shared_with, unshare_level
 from game.models import Level
+from game.views.level_selection import is_admin_teacher
 from two_factor.utils import devices_for_user
 
 from portal.forms.invite_teacher import InviteTeacherForm
@@ -160,7 +161,7 @@ def dashboard_teacher_view(request, is_admin):
         elif request.POST.get("show_onboarding_complete") == "1":
             show_onboarding_complete = True
 
-        elif "invite_teacher" in request.POST:
+        elif "invite_teacher" in request.POST and is_admin:
             invite_teacher_form = InviteTeacherForm(request.POST)
             if invite_teacher_form.is_valid():
                 data = invite_teacher_form.cleaned_data
@@ -674,7 +675,7 @@ def delete_teacher_invite(request, token):
     teacher = request.user.new_teacher
 
     # auth the user before deletion
-    if invite is None or teacher.school != invite.school:
+    if invite is None or teacher.school != invite.school or not is_admin_teacher(request.user):
         messages.error(
             request,
             "You do not have permission to perform this action or the invite does not exist",
@@ -698,7 +699,7 @@ def resend_invite_teacher(request, token):
     teacher = request.user.new_teacher
 
     # auth the user before deletion
-    if invite is None or teacher.school != invite.school:
+    if invite is None or teacher.school != invite.school or not is_admin_teacher(request.user):
         messages.error(
             request,
             "You do not have permission to perform this action or the invite does not exist",
@@ -706,7 +707,7 @@ def resend_invite_teacher(request, token):
     else:
         invite.expiry = timezone.now() + timedelta(days=30)
         invite.save()
-        teacher = Teacher.objects.filter(id=invite.from_teacher.id)[0]
+        teacher = Teacher.objects.filter(id=invite.from_teacher.id)
 
         messages.success(request, "Teacher re-invited!")