fix(exam): allow any institute teacher to fetch template source PDF
Some checks failed
api-ci-deploy / test-build-deploy (push) Has been cancelled
Some checks failed
api-ci-deploy / test-build-deploy (push) Has been cancelled
Removed the teacher_id ownership check from _require_source_visibility_or_404. RLS already ensures a teacher can only see templates in their institute; the ownership gate was blocking shared templates (e.g. board-uploaded AQA papers) for any teacher who didn't personally create them. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
CC Worker
parent
6daa905ecd
commit
9cc986a3f1
@ -69,9 +69,7 @@ def _require_owner(ctx: ExamContext, template: Dict[str, Any]) -> None:
|
||||
|
||||
|
||||
def _require_source_visibility_or_404(ctx: ExamContext, template: Dict[str, Any]) -> None:
|
||||
"""Template source reads must not leak existence across institutes or non-owners."""
|
||||
if template.get("teacher_id") != ctx.user_id:
|
||||
raise HTTPException(status_code=404, detail="Template not found")
|
||||
"""Institute boundary check — RLS already gates template visibility; this prevents cross-institute PDF leakage."""
|
||||
if template.get("institute_id") not in ctx.institute_ids:
|
||||
raise HTTPException(status_code=404, detail="Template not found")
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user