From cf5ff28d7835012c6d8b8499549849dc72f49824 Mon Sep 17 00:00:00 2001
From: Martin Mares <mj@ucw.cz>
Date: Fri, 11 Oct 2024 17:29:18 +0200
Subject: [PATCH] When showing student threads, check that the student exists
 and is enrolled

Closes #113.
---
 owl/course.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/owl/course.py b/owl/course.py
index 6fe5cb8..b22c251 100644
--- a/owl/course.py
+++ b/owl/course.py
@@ -223,11 +223,18 @@ def topic_index(sident: str, cident: str, tident: str, student_uid: Optional[int
     if student_uid is not None:
         if not g.is_grader:
             raise werkzeug.exceptions.Forbidden('Only graders are allowed to do that')
+        enroll = sess.scalar(
+            select(db.Enroll)
+            .filter_by(uid=student_uid, cid=g.course.cid, is_teacher=False)
+            .options(joinedload(db.Enroll.user))
+        )
+        if enroll is None:
+            raise werkzeug.exceptions.NotFound('No such student of this course')
         if g.course.anon_grading and not g.is_teacher:
             show_for_user = f'Student {student_uid}'
             filename_base = str(student_uid)
         else:
-            show_for_user = sess.get(db.User, student_uid).full_name()
+            show_for_user = enroll.user.full_name()
             filename_base = show_for_user
     else:
         show_for_user = None
-- 
GitLab