Implement server-side role checks and enhance result announcement API#1925
Merged
vikrantwiz02 merged 1 commit intoJun 28, 2026
Merged
Conversation
…ctionality - Refactored role checking in academic procedures to use actual user designations instead of client-supplied roles. - Added new API endpoints for managing result announcements, including per-student selection for published results. - Introduced a new model PublishedResultStudent to track which students have their results published. - Updated existing views and permissions to enforce role-based access control using the new role-checking methods. - Enhanced curriculum management views with role-based access restrictions for academic admins and deans. - Added migration for new fields in the ResultAnnouncement model to support the new functionality.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request significantly improves the security and correctness of role-based access control throughout the examination and academic procedures APIs. Instead of relying on client-supplied role fields, the code now consistently checks the authenticated user's actual roles using helper functions, preventing privilege escalation and unauthorized access. Additionally, there are minor optimizations and new API endpoints added.
Role-based access control improvements:
roleorRolefields with calls touser_holds_roleoruser_holds_any_role, ensuring authorization is always based on the authenticated user's actual roles inviews.py[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25].check_roleutility in academic procedures to use the user's actual designations from the database, never trusting client input.Performance and correctness improvements:
ResultAnnouncementListAPIby usingselect_relatedto avoid N+1 queries and fetch related batch and discipline data efficiently.New API endpoints:
examination/api/urls.py:announcement-students/andpublish-result-selected/.Other minor fixes:
PublishedResultStudentand role helper functions toexamination/api/views.py.These changes collectively harden the system against unauthorized access and improve maintainability by centralizing role-check logic.