From 13b459ac752092c37f54d9df83e7fdb407894a56 Mon Sep 17 00:00:00 2001
From: Remco Tukker <remco.tukker@geant.org>
Date: Wed, 16 Aug 2023 07:57:24 +0200
Subject: [PATCH] correctly handle opening a survey that the user isnt allowed
 to edit

---
 compendium_v2/routes/response.py                  | 13 ++++++++++---
 survey-frontend/src/SurveyContainerComponent.tsx  |  1 +
 survey-frontend/src/SurveyNavigationComponent.tsx |  5 +++--
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/compendium_v2/routes/response.py b/compendium_v2/routes/response.py
index 7c62d84c..60b7fa9b 100644
--- a/compendium_v2/routes/response.py
+++ b/compendium_v2/routes/response.py
@@ -30,6 +30,7 @@ SURVEY_RESPONSE_SCHEMA = {
         'verification_status': {'type': 'object'},
         'mode': {'type': 'string'},
         'status': {'type': 'string'},
+        'edit_allowed': {'type': 'boolean'},
     },
     'required': ['model', 'locked_by', 'data', 'page', 'verification_status', 'mode', 'status'],
     'additionalProperties': False
@@ -111,7 +112,8 @@ def try_survey(year) -> Any:
         "page": 0,
         "verification_status": {},
         "mode": SurveyMode.Edit,
-        "status": RESPONSE_NOT_STARTED
+        "status": RESPONSE_NOT_STARTED,
+        "edit_allowed": True
     }
 
 
@@ -152,7 +154,8 @@ def inspect_survey(year) -> Any:
         "page": 0,
         "verification_status": {},
         "mode": SurveyMode.Edit,
-        "status": RESPONSE_NOT_STARTED
+        "status": RESPONSE_NOT_STARTED,
+        "edit_allowed": True
     }
 
 
@@ -219,7 +222,8 @@ def load_survey(year, nren_name) -> Any:
         "page": page,
         "verification_status": verification_status,
         "mode": SurveyMode.Display,
-        "status": response.status.value if response else RESPONSE_NOT_STARTED
+        "status": response.status.value if response else RESPONSE_NOT_STARTED,
+        "edit_allowed": current_user.is_admin or survey.status == SurveyStatus.open
     }
 
 
@@ -248,6 +252,9 @@ def lock_survey(year, nren_name) -> Any:
     if not check_access_nren(current_user, nren):
         return {'message': 'You do not have permissions to access this survey.'}, 403
 
+    if survey.status != SurveyStatus.open and not current_user.is_admin:
+        return {'message': 'Survey is closed'}, 400
+
     response = db.session.scalar(
         select(SurveyResponse).where(SurveyResponse.survey_year == year)
                               .where(SurveyResponse.nren_id == nren.id)
diff --git a/survey-frontend/src/SurveyContainerComponent.tsx b/survey-frontend/src/SurveyContainerComponent.tsx
index 3ac87e48..65a576dd 100644
--- a/survey-frontend/src/SurveyContainerComponent.tsx
+++ b/survey-frontend/src/SurveyContainerComponent.tsx
@@ -66,6 +66,7 @@ function SurveyContainerComponent({ loadFrom }) {
             survey.mode = json['mode'];
             survey.lockedBy = json['locked_by'];
             survey.status = json['status'];
+            survey.editAllowed = json['edit_allowed'];
 
             setSurveyModel(survey);
         }
diff --git a/survey-frontend/src/SurveyNavigationComponent.tsx b/survey-frontend/src/SurveyNavigationComponent.tsx
index 3e893a12..4c2b323d 100644
--- a/survey-frontend/src/SurveyNavigationComponent.tsx
+++ b/survey-frontend/src/SurveyNavigationComponent.tsx
@@ -49,7 +49,7 @@ function SurveyNavigationComponent({ surveyModel, surveyActions, year, nren, chi
     const renderExternalNavigation = () => {
         return (
             <div className="survey-edit-buttons-block">
-                {!editing && !lockedBy && renderButton('Start editing', 'startEdit')}
+                {!editing && !lockedBy && surveyModel.editAllowed && renderButton('Start editing', 'startEdit')}
                 {!editing && lockedBy && lockedBy == loggedInUser.name && renderButton('Discard any unsaved changes and release your lock', 'releaseLock')}
                 {editing && (pageNo === surveyModel.visiblePages.length - 1) && renderButton('Complete Survey', 'complete')}
                 {editing && renderButton(saveAndStopEdit, 'saveAndStopEdit')}
@@ -83,7 +83,8 @@ function SurveyNavigationComponent({ surveyModel, surveyActions, year, nren, chi
             <Row className="survey-content">
                 {!editing && (
                     <div className="survey-edit-explainer">
-                        {!lockedBy && <span>The survey is in read-only mode; click the “Start editing“ button to start editing the answers.</span>}
+                        {!lockedBy && surveyModel.editAllowed && <span>The survey is in read-only mode; click the “Start editing“ button to start editing the answers.</span>}
+                        {!lockedBy && !surveyModel.editAllowed && <span>The survey is in read-only mode and can not be edited by you.</span>}
                         {lockedBy && lockedBy != loggedInUser.name && 'The survey is in READONLY mode and currently being edited by: ' + lockedBy + '. To start editing the survey, ask them to complete their edits.'}
                         {lockedBy && lockedBy == loggedInUser.name && 'The survey is in READONLY mode because you started editing in another tab, browser or device. To start editing the survey, either complete those edits or click the "Discard any unsaved changes" button.'}
                     </div>
-- 
GitLab