Hide private assessments from non-admins

nsidc · Mar 21, 2024 · 57a8a92 · 57a8a92
1 parent 09bdb27
commit 57a8a92
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/usaon_benefit_tool/routes/assessments.py b/usaon_benefit_tool/routes/assessments.py
@@ -5,7 +5,7 @@
     request,
     url_for,
 )
-from flask_login import login_required
+from flask_login import current_user, login_required
 
 from usaon_benefit_tool import db
 from usaon_benefit_tool._types import RoleName
@@ -19,7 +19,12 @@
 @assessments_bp.route('', methods=["GET"])
 @login_required
 def get():
-    assessments = Assessment.query.order_by(Assessment.created_timestamp).all()
+    qry = Assessment.query
+
+    if current_user.role_id != RoleName.ADMIN:
+        qry = qry.filter_by(private=False)
+
+    assessments = qry.order_by(Assessment.created_timestamp).all()
     form = FORMS_BY_MODEL[Assessment](obj=Assessment())
     return render_template('assessments.html', assessments=assessments, form=form)