Change team edition permissions (#865)

## Description

### Summary

<!--Brief description of what this PR does.-->
Allow school BDS to modify school's teams


### Related Issues

<!-- If applicable -->
Closes #<!--0-->

## Changes Made

<!--Please describe the changes made in this pull request-->

- ...

## Type of Change

- [x] 🐛 Bug fix (non-breaking change which fixes an issue)
- [x] ✨ New feature (non-breaking change which adds functionality)
- [ ] 🔨 Refactor (non-breaking change that neither fixes a bug nor adds
a feature)
- [ ] 🔧 Infra CI/CD (changes to configs of workflows)
- [ ] 💥 BREAKING CHANGE (fix or feature that require a new minimal
version of the front-end)

## Impact & Scope

- [ ] Core functionality changes
- [x] Single module changes
- [ ] Multiple modules changes
- [ ] Database migrations required
- [ ] Other

## Testing

- [x] Added/modified tests that pass the CI
- [ ] Tested in a pre-prod
- [ ] Tested this locally

## Documentation

- [ ] Updated docs accordingly (docs.myecl.fr) : <!--[Docs#0 -
Title](https://github.com/aeecleclair/myecl-documentation/pull/0)-->
- [ ] Code includes docstrings
- [x] No documentation needed

## Checklist

- [x] My code follows the style guidelines of this project
- [x] I have commented my code, particularly in hard-to-understand areas
- [x] Any dependent changes have been merged and published (_Indicate
the linked PR for the dependent changes_)

## Additional Notes

Add any other context, screenshots, or information about the pull
request here.

Author: Rotheem

app/modules/sport_competition/endpoints_sport_competition.py

@@ -1527,6 +1527,31 @@ async def get_teams_for_sport(
     )
 
 
+@module.router.get(
+    "/competition/teams/schools/{school_id}",
+    response_model=list[schemas_sport_competition.TeamComplete],
+)
+async def get_teams_for_school(
+    school_id: UUID,
+    db: AsyncSession = Depends(get_db),
+    edition: schemas_sport_competition.CompetitionEdition = Depends(
+        get_current_edition,
+    ),
+    user: models_users.CoreUser = Depends(is_user()),
+) -> list[schemas_sport_competition.TeamComplete]:
+    school = await cruds_sport_competition.load_school_by_id(school_id, db)
+    if school is None:
+        raise HTTPException(
+            status_code=404,
+            detail="School not found in the database",
+        )
+    return await cruds_sport_competition.load_all_teams_by_school_id(
+        school_id,
+        edition.id,
+        db,
+    )
+
+
 @module.router.get(
     "/competition/teams/sports/{sport_id}/schools/{school_id}",
     response_model=list[schemas_sport_competition.TeamComplete],
@@ -1573,6 +1598,12 @@ async def create_team(
     ),
     user: schemas_users.CoreUser = Depends(is_user()),
 ) -> schemas_sport_competition.Team:
+    if not edition.inscription_enabled:
+        raise HTTPException(
+            status_code=400,
+            detail="Inscriptions are not enabled for the current edition",
+        )
+
     if GroupType.competition_admin.value not in [
         group.id for group in user.groups
     ] and (user.id != team_info.captain_id or user.school_id != team_info.school_id):
@@ -1659,9 +1690,22 @@ async def edit_team(
             status_code=404,
             detail="Team not found in the database",
         )
-    if user.id != stored.captain_id and GroupType.competition_admin.value not in [
-        group.id for group in user.groups
-    ]:
+    user_competition_groups = (
+        await cruds_sport_competition.load_user_competition_groups_memberships(
+            user.id,
+            stored.edition_id,
+            db,
+        )
+    )
+    if (
+        user.id != stored.captain_id
+        and GroupType.competition_admin.value not in [group.id for group in user.groups]
+        and (
+            CompetitionGroupType.schools_bds
+            not in [group.group for group in user_competition_groups]
+            or user.school_id != stored.school_id
+        )
+    ):
         raise HTTPException(status_code=403, detail="Unauthorized action")
     if team_info.captain_id is not None and team_info.captain_id != stored.captain_id:
         sport = await cruds_sport_competition.load_sport_by_id(
@@ -1712,16 +1756,32 @@ async def delete_team(
     team_id: UUID,
     db: AsyncSession = Depends(get_db),
     user: schemas_users.CoreUser = Depends(is_user()),
+    edition: schemas_sport_competition.CompetitionEdition = Depends(
+        get_current_edition,
+    ),
 ) -> None:
     stored = await cruds_sport_competition.load_team_by_id(team_id, db)
     if stored is None:
         raise HTTPException(
             status_code=404,
             detail="Team not found in the database",
         )
-    if user.id != stored.captain_id and GroupType.competition_admin.value not in [
-        group.id for group in user.groups
-    ]:
+    user_competition_groups = (
+        await cruds_sport_competition.load_user_competition_groups_memberships(
+            user.id,
+            edition.id,
+            db,
+        )
+    )
+    if (
+        user.id != stored.captain_id
+        and GroupType.competition_admin.value not in [group.id for group in user.groups]
+        and (
+            CompetitionGroupType.schools_bds
+            not in [group.group for group in user_competition_groups]
+            or user.school_id != stored.school_id
+        )
+    ):
         raise HTTPException(status_code=403, detail="Unauthorized action")
     await cruds_sport_competition.delete_team_by_id(stored.id, db)
 
@@ -2092,6 +2152,12 @@ async def withdraw_from_sport(
         get_current_edition,
     ),
 ) -> None:
+    if not edition.inscription_enabled:
+        raise HTTPException(
+            status_code=400,
+            detail="Inscriptions are not enabled for this edition",
+        )
+
     participant = await cruds_sport_competition.load_participant_by_ids(
         user.user_id,
         sport_id,
@@ -2139,6 +2205,15 @@ async def delete_participant(
         get_current_edition,
     ),
 ) -> None:
+    if (
+        GroupType.competition_admin.value
+        not in [group.id for group in user.user.groups]
+        and not edition.inscription_enabled
+    ):
+        raise HTTPException(
+            status_code=403,
+            detail="Editions inscriptions are closed",
+        )
     participant = await cruds_sport_competition.load_participant_by_ids(
         user_id,
         sport_id,
@@ -3076,6 +3151,49 @@ async def delete_product_variant(
 # region: Purchases
 
 
+@module.router.get(
+    "/competition/purchases/schools/{school_id}",
+    response_model=dict[str, list[schemas_sport_competition.PurchaseComplete]],
+    status_code=200,
+)
+async def get_purchases_by_school_id(
+    school_id: UUID,
+    db: AsyncSession = Depends(get_db),
+    user: schemas_sport_competition.CompetitionUser = Depends(
+        is_competition_user(competition_group=CompetitionGroupType.schools_bds),
+    ),
+    edition: schemas_sport_competition.CompetitionEdition = Depends(
+        get_current_edition,
+    ),
+):
+    """
+    Get a school's purchases.
+
+    **User must be competition admin to use this endpoint**
+    """
+    school = await cruds_sport_competition.load_school_by_id(school_id, db)
+    if not school:
+        raise HTTPException(
+            status_code=404,
+            detail="School not found.",
+        )
+    users = await cruds_sport_competition.load_all_competition_users_by_school(
+        school_id,
+        edition.id,
+        db,
+    )
+    purchases_by_user: dict[str, list[schemas_sport_competition.PurchaseComplete]] = {}
+    for db_user in users:
+        purchases_by_user[
+            db_user.user_id
+        ] = await cruds_sport_competition.load_purchases_by_user_id(
+            db_user.user_id,
+            edition.id,
+            db,
+        )
+    return purchases_by_user
+
+
 @module.router.get(
     "/competition/purchases/users/{user_id}",
     response_model=list[schemas_sport_competition.Purchase],
@@ -3134,6 +3252,12 @@ async def create_purchase(
 
     **User must create a purchase for themself**
     """
+    if not edition.inscription_enabled:
+        raise HTTPException(
+            status_code=403,
+            detail="You can't make a purchase when inscriptions are closed",
+        )
+
     competition_user = await cruds_sport_competition.load_competition_user_by_id(
         user.id,
         edition.id,
@@ -3226,6 +3350,11 @@ async def delete_purchase(
 
     **User must delete their own purchase**
     """
+    if not edition.inscription_enabled:
+        raise HTTPException(
+            status_code=403,
+            detail="You can't delete a purchase when inscriptions are closed",
+        )
 
     db_purchase = await cruds_sport_competition.load_purchase_by_ids(
         user.id,
@@ -3265,6 +3394,56 @@ async def delete_purchase(
 # region: Payments
 
 
+@module.router.get(
+    "/competition/payments/schools/{school_id}",
+    response_model=dict[str, list[schemas_sport_competition.PaymentComplete]],
+    status_code=200,
+)
+async def get_users_payments_by_school_id(
+    school_id: UUID,
+    db: AsyncSession = Depends(get_db),
+    user: schemas_sport_competition.CompetitionUser = Depends(
+        is_competition_user(competition_group=CompetitionGroupType.schools_bds),
+    ),
+    edition: schemas_sport_competition.CompetitionEdition = Depends(
+        get_current_edition,
+    ),
+):
+    """
+    Get a school's users payments.
+
+    **User must be competition admin to use this endpoint**
+    """
+    school = await cruds_sport_competition.load_school_by_id(school_id, db)
+    if not school:
+        raise HTTPException(
+            status_code=404,
+            detail="The school does not exist.",
+        )
+    if user.user.school_id != school_id and GroupType.competition_admin.value not in [
+        group.id for group in user.user.groups
+    ]:
+        raise HTTPException(
+            status_code=403,
+            detail="You're not allowed to see other schools payments.",
+        )
+    users = await cruds_sport_competition.load_all_competition_users_by_school(
+        school_id,
+        edition.id,
+        db,
+    )
+    payments_by_user: dict[str, list[schemas_sport_competition.PaymentComplete]] = {}
+    for db_user in users:
+        payments_by_user[
+            db_user.user_id
+        ] = await cruds_sport_competition.load_user_payments(
+            db_user.user_id,
+            edition.id,
+            db,
+        )
+    return payments_by_user
+
+
 @module.router.get(
     "/competition/users/{user_id}/payments",
     response_model=list[schemas_sport_competition.PaymentComplete],
@@ -3481,7 +3660,11 @@ async def get_payment_url(
     """
     Get payment url
     """
-
+    if not edition.inscription_enabled:
+        raise HTTPException(
+            status_code=403,
+            detail="Inscriptions are not enabled for this edition.",
+        )
     purchases = await cruds_sport_competition.load_purchases_by_user_id(
         user.id,
         edition.id,

app/modules/sport_competition/utils_sport_competition.py

@@ -139,6 +139,16 @@ async def validate_payment(
         )
         raise ValueError(f"User checkout {checkout_id} not found.")  # noqa: TRY003
 
+    edition = await cruds_sport_competition.load_edition_by_id(
+        checkout.edition_id,
+        db,
+    )
+    if not edition or not edition.inscription_enabled:
+        raise HTTPException(
+            status_code=403,
+            detail="Inscriptions are not enabled for this edition.",
+        )
+
     db_payment = schemas_sport_competition.PaymentComplete(
         id=uuid4(),
         user_id=checkout.user_id,

pyproject.toml

@@ -6,7 +6,7 @@ authors = [{ name = "AEECL ECLAIR" }]
 
 # Hyperion follows Semantic Versioning
 # https://semver.org/
-version = "4.9.6"
+version = "4.9.7"
 minimal-titan-version-code = 139
 requires-python = ">= 3.11, < 3.13"
 

tests/sport_competition/test_purchases.py

@@ -1049,6 +1049,21 @@ async def test_delete_product_variant_with_purchases(
     )
 
 
+async def test_get_school_users_purchases(
+    client: TestClient,
+):
+    response = client.get(
+        f"/competition/purchases/schools/{SchoolType.centrale_lyon.value}",
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    assert response.status_code == 200
+    data = response.json()
+    assert isinstance(data, dict)
+    assert admin_user.id in data
+    assert isinstance(data[admin_user.id], list)
+    assert len(data[admin_user.id]) == 2
+
+
 async def get_user_purchases(
     client: TestClient,
 ):
@@ -1204,6 +1219,21 @@ async def test_delete_validated_purchase(
     )
 
 
+async def test_get_school_users_payments(
+    client: TestClient,
+):
+    response = client.get(
+        f"/competition/payments/schools/{SchoolType.centrale_lyon.value}",
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    assert response.status_code == 200
+    data = response.json()
+    assert isinstance(data, dict)
+    assert admin_user.id in data
+    assert isinstance(data[admin_user.id], list)
+    assert len(data[admin_user.id]) == 1
+
+
 async def test_get_payments(
     client: TestClient,
 ):

tests/sport_competition/test_sport_inscription.py

@@ -1598,6 +1598,18 @@ async def test_get_sport_teams(
     assert len(teams) == 2
 
 
+async def test_get_school_teams(
+    client: TestClient,
+) -> None:
+    response = client.get(
+        f"/competition/teams/schools/{school1.id}",
+        headers={"Authorization": f"Bearer {user3_token}"},
+    )
+    assert response.status_code == 200, response.json()
+    teams = response.json()
+    assert len(teams) == 1
+
+
 async def test_get_sport_team_for_school(
     client: TestClient,
 ) -> None: