Implementing necessary changes in ACL group-lock checks.

krulis-martin · krulis-martin · commit ff022c803386 · 2026-05-05T13:27:13.000+02:00
diff --git a/app/V1Module/security/Policies/AssignmentSolutionPermissionPolicy.php b/app/V1Module/security/Policies/AssignmentSolutionPermissionPolicy.php
@@ -4,6 +4,7 @@
 
 use App\Model\Entity\AssignmentSolution;
 use App\Model\Entity\GroupMembership;
+use App\Model\GroupExamLockType;
 use App\Security\Identity;
 
 class AssignmentSolutionPermissionPolicy extends BasePermissionPolicy implements IPermissionPolicy
@@ -107,17 +108,38 @@ public function userIsNotLockedElsewhere(Identity $identity, AssignmentSolution
     }
 
     /**
-     * Current user is either not locked at all, or locked to this group, or the current lock is not strict.
+     * Current user is either not locked at all, or locked to this group (where the solution is),
+     * or the current lock type allows (read-only) access to this solution.
      */
-    public function userIsNotLockedElsewhereStrictly(Identity $identity, AssignmentSolution $solution): bool
+    public function userGroupLockTypeAllowsReadAccess(Identity $identity, AssignmentSolution $solution): bool
     {
         $user = $identity->getUserData();
         $group = $solution->getAssignment()?->getGroup();
         if ($user === null || $group === null) {
             return false;
         }
 
-        return !$user->isGroupLocked() || $user->getGroupLock()->getId() === $group->getId()
-            || !$user->isGroupLockStrict();
+        if (!$user->isGroupLocked() || $user->getGroupLock()->getId() === $group->getId()) {
+            return true;
+        }
+
+        $lockType = $user->getGroupLockType();
+        if ($lockType === null || $lockType === GroupExamLockType::Visible) {
+            return true;
+        }
+
+        if ($lockType === GroupExamLockType::Restricted) {
+            return false;  // a shortcut (false is also at the end)
+        }
+
+        if ($lockType === GroupExamLockType::Accepted) {
+            return $solution->isAccepted();
+        }
+
+        if ($lockType === GroupExamLockType::Reviewed) {
+            return $solution->isAccepted() || $solution->isReviewed();
+        }
+
+        return false;
     }
 }
diff --git a/app/config/permissions.neon b/app/config/permissions.neon
@@ -612,7 +612,7 @@ permissions:
           - viewReview
       conditions:
           - assignmentSolution.isAuthor
-          - assignmentSolution.userIsNotLockedElsewhereStrictly
+          - assignmentSolution.userGroupLockTypeAllowsReadAccess
 
     - allow: true
       role: student
@@ -633,7 +633,7 @@ permissions:
       conditions:
           - assignmentSolution.areEvaluationDetailsPublic
           - assignmentSolution.isAuthor
-          - assignmentSolution.userIsNotLockedElsewhereStrictly
+          - assignmentSolution.userGroupLockTypeAllowsReadAccess
 
     - allow: true
       role: student
@@ -644,7 +644,7 @@ permissions:
           - assignmentSolution.areEvaluationDetailsPublic
           - assignmentSolution.areMeasuredValuesPublic
           - assignmentSolution.isAuthor
-          - assignmentSolution.userIsNotLockedElsewhereStrictly
+          - assignmentSolution.userGroupLockTypeAllowsReadAccess
 
     - allow: true
       role: supervisor-student
