From 710abf74df44ca32b83ab235c707329a515ea1bd Mon Sep 17 00:00:00 2001
From: msinkec <mihael@sinkec.xyz>
Date: Thu, 10 Feb 2022 10:25:27 +0100
Subject: [PATCH] endpoint permission updates for institutions, threw out add
 user from manage institution menu

---
 app.py                                  | 13 +++++++---
 templates/solar-manage-institution.html | 32 -------------------------
 2 files changed, 10 insertions(+), 35 deletions(-)

diff --git a/app.py b/app.py
index 60fe4fb..413a4b7 100644
--- a/app.py
+++ b/app.py
@@ -231,7 +231,7 @@ def solar_register_post():
 
     portal.solar.send_admins_new_user_notification_mail(user_id, upload_handler_solar.config) 
 
-    flash('Podatki so bili poslani v potrditev. Ko bo registracija potrjena, boste o tem obveščeni po e-mailu, ki ste ga posredovali zgoraj.')
+    flash('Podatki so bili poslani v potrditev. Ko bo registracija potrjena, boste o tem obveščeni po e-mailu.')
     return redirect('/login')
 
 
@@ -679,8 +679,15 @@ def change_user_email():
 @app.route('/changeuserrole', methods=['POST'])
 @login_required
 def change_user_role():
+    institution = portal.solar.get_user_institution(current_user.id)
     if not portal.solar.is_admin(current_user.id):
-        return '', 404
+
+        # Institution coordinators can only assign roles of users in their own
+        # institution.
+        if institution and portal.solar.is_institution_coordinator(current_user.id, institution.id):
+            pass
+        else:
+            return '', 404
 
     user_id = request.form.get('user-id')
     role = request.form.get('role')
@@ -717,7 +724,7 @@ def add_user_institution_mapping():
         if institution:
             institution_id = institution.id
 
-    if not (portal.solar.is_admin(current_user.id) or portal.solar.is_institution_coordinator(current_user.id, institution_id)):
+    if not portal.solar.is_admin(current_user.id):
         return '', 404
 
     user_id = request.form['user_id']
diff --git a/templates/solar-manage-institution.html b/templates/solar-manage-institution.html
index f36a751..493cc1e 100644
--- a/templates/solar-manage-institution.html
+++ b/templates/solar-manage-institution.html
@@ -57,26 +57,6 @@
         </div>
     {% endif %}
     {% endwith %}
-    <h3>Seznam vseh aktivnih uporabnikov</h3>
-    <div class="tableFixHead">
-      <table>
-          <thead>
-              <tr>
-                <th>ID</th>
-                <th>Ime in priimek</th>
-                <th>Email</th>
-              </tr>
-          </thead>
-          <tbody>
-          {% for item in users %}
-          <tr>
-              <td>{{item.id}}</td>
-              <td>{{item.name}}</td>
-              <td>{{item.email}}</td>
-          </tr>
-          {% endfor %}
-      </table>
-    </div>
 
     <h3>Seznam uporabnikov v vaši instituciji</h3>
     <div class="tableFixHead">
@@ -99,18 +79,6 @@
       </table>
     </div>
     <br>
-    <h3>Dodaj uporabnika instituciji</h3>
-    <form action="../addusertoinstitution" method="post">
-        <label for="user_id">ID uporabnika:</label>
-        <input type="text" id="user_id" name="user_id"><br>
-        <label for="role">Vloga v instituciji:</label>
-        <select name="role" id="role">
-                <option value="coordinator">Koordinator/-ka</option>
-                <option value="mentor">Mentor/-ica</option>
-                <option value="other">Druga vloga</option>
-        </select>
-        <input type="submit" value="Dodeli">
-    </form>
     <h3>Odstrani uporabnika iz institucije</h3>
     <form action="../deluserfrominstitution" method="post">
         <label for="user_id">ID uporabnika:</label>