Skip to content

Implement server-side role checks and enhance result announcement API#1925

Merged
vikrantwiz02 merged 1 commit into
FusionIIIT:prod/acad-reactfrom
vikrantwiz02:prod/acad-react
Jun 28, 2026
Merged

Implement server-side role checks and enhance result announcement API#1925
vikrantwiz02 merged 1 commit into
FusionIIIT:prod/acad-reactfrom
vikrantwiz02:prod/acad-react

Conversation

@vikrantwiz02

Copy link
Copy Markdown
Member

This pull request significantly improves the security and correctness of role-based access control throughout the examination and academic procedures APIs. Instead of relying on client-supplied role fields, the code now consistently checks the authenticated user's actual roles using helper functions, preventing privilege escalation and unauthorized access. Additionally, there are minor optimizations and new API endpoints added.

Role-based access control improvements:

  • Replaced all checks of client-supplied role or Role fields with calls to user_holds_role or user_holds_any_role, ensuring authorization is always based on the authenticated user's actual roles in views.py [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25].
  • Updated the check_role utility in academic procedures to use the user's actual designations from the database, never trusting client input.

Performance and correctness improvements:

  • Optimized result announcement queries in ResultAnnouncementListAPI by using select_related to avoid N+1 queries and fetch related batch and discipline data efficiently.

New API endpoints:

  • Added two new endpoints to examination/api/urls.py: announcement-students/ and publish-result-selected/.

Other minor fixes:

  • Added import of PublishedResultStudent and role helper functions to examination/api/views.py.
  • Improved result announcement logic to check if results are actually published for a student before returning results.

These changes collectively harden the system against unauthorized access and improve maintainability by centralizing role-check logic.

…ctionality

- Refactored role checking in academic procedures to use actual user designations instead of client-supplied roles.
- Added new API endpoints for managing result announcements, including per-student selection for published results.
- Introduced a new model PublishedResultStudent to track which students have their results published.
- Updated existing views and permissions to enforce role-based access control using the new role-checking methods.
- Enhanced curriculum management views with role-based access restrictions for academic admins and deans.
- Added migration for new fields in the ResultAnnouncement model to support the new functionality.
@vikrantwiz02 vikrantwiz02 self-assigned this Jun 27, 2026
@vikrantwiz02 vikrantwiz02 merged commit 4dd310b into FusionIIIT:prod/acad-react Jun 28, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant