fix: allow faculty responsibility access for all faculty responsibles

mluukkai · mluukkai · commit c5b95e605ab6 · 2026-02-25T19:15:54.000+02:00
diff --git a/scripts/possu.sh b/scripts/possu.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+CONTAINER_NAME="palaute_db"
+USER="postgres"
+DB="${1:-postgres}"
+
+docker exec -it "$CONTAINER_NAME" psql -U "$USER" "$DB"
diff --git a/src/server/routes/feedbackTargets/feedbackTargetController.ts b/src/server/routes/feedbackTargets/feedbackTargetController.ts
@@ -33,6 +33,8 @@ import { PUBLIC_COURSE_BROWSER_ENABLED } from '../../util/config'
 const adRouter = Router()
 const noadRouter = Router()
 
+const isProgrammeCode = (code: string) => /^\d{3}-[MK]\d{3,4}$/.test(code)
+
 // TODO figure out if the two bellow functions could be united
 adRouter.get('/for-faculty/:code', async (req: AuthenticatedRequest, res: Response) => {
   const { user } = req
@@ -41,6 +43,7 @@ adRouter.get('/for-faculty/:code', async (req: AuthenticatedRequest, res: Respon
   if (!code) throw ApplicationError.BadRequest('Missing code')
 
   const organisationAccess = await user.organisationAccess
+
   if (!organisationAccess[code]?.read) throw ApplicationError.Forbidden()
 
   const facultyOrganisation = await Organisation.findOne({
@@ -56,10 +59,7 @@ adRouter.get('/for-faculty/:code', async (req: AuthenticatedRequest, res: Respon
 
   if (!facultyOrganisation) throw ApplicationError.NotFound('Organisation not found')
 
-  const childOrgCodes =
-    facultyOrganisation.childOrganisations
-      ?.filter(child => organisationAccess[child.code]?.read)
-      .map(child => child.code) || []
+  const childOrgCodes = facultyOrganisation.childOrganisations?.map(child => child.code).filter(isProgrammeCode) || []
 
   const allOrganisationCodes = [code, ...childOrgCodes]
 
@@ -69,6 +69,7 @@ adRouter.get('/for-faculty/:code', async (req: AuthenticatedRequest, res: Respon
       startDate: startDate as string,
       endDate: endDate as string,
       user,
+      skipAccessCheck: orgCode !== code,
     })
   )
 
diff --git a/src/server/services/feedbackTargets/getByOrganisation.ts b/src/server/services/feedbackTargets/getByOrganisation.ts
@@ -137,12 +137,21 @@ interface GetByOrganisationParams {
   startDate?: string | Date
   endDate?: string | Date
   user: User
+  skipAccessCheck?: boolean
 }
 
-const getByOrganisation = async ({ organisationCode, startDate, endDate, user }: GetByOrganisationParams) => {
-  const organisationAccess = await user.organisationAccess
+const getByOrganisation = async ({
+  organisationCode,
+  startDate,
+  endDate,
+  user,
+  skipAccessCheck = false,
+}: GetByOrganisationParams) => {
+  if (!skipAccessCheck) {
+    const organisationAccess = await user.organisationAccess
 
-  if (!organisationAccess[organisationCode]?.read) throw ApplicationError.Forbidden()
+    if (!organisationAccess[organisationCode]?.read) throw ApplicationError.Forbidden()
+  }
 
   const start = startDate ? new Date(startDate) : new Date()
   const end = endDate ? new Date(endDate) : addMonths(start, 12)
