From f97abc16d6bb31378e7b7fcf9f6c5dd378123e4c Mon Sep 17 00:00:00 2001
From: stevensonmichel <michels@berea.edu>
Date: Wed, 14 Jun 2023 17:09:33 -0400
Subject: [PATCH 1/3] Redirected Users who are not admin or Faculty to Warning
 Page

---
 app/controllers/serviceLearning/routes.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/controllers/serviceLearning/routes.py b/app/controllers/serviceLearning/routes.py
index 082404be4..cd76ca187 100644
--- a/app/controllers/serviceLearning/routes.py
+++ b/app/controllers/serviceLearning/routes.py
@@ -22,11 +22,11 @@
 @serviceLearning_bp.route('/serviceLearning/courseManagement', methods = ['GET'])
 @serviceLearning_bp.route('/serviceLearning/courseManagement/<username>', methods = ['GET'])
 def serviceCourseManagement(username=None):
-    if g.current_user.isStudent:
-        abort(403)
-    if g.current_user.isCeltsAdmin or g.current_user.isFaculty:
+    user = User.get(User.username==username) if username else g.current_user
+    isRequestingForSelf = g.current_user == user 
+    
+    if g.current_user.isCeltsAdmin or (g.current_user.isFaculty and isRequestingForSelf):
         setRedirectTarget("/serviceLearning/courseManagement")
-        user = User.get(User.username==username) if username else g.current_user
         courseDict = getServiceLearningCoursesData(user)
         termList = selectSurroundingTerms(g.current_term, prevTerms=0)
         return render_template('serviceLearning/slcManagement.html',
@@ -36,6 +36,7 @@ def serviceCourseManagement(username=None):
     else:
         flash("Unauthorized to view page", 'warning')
         return redirect(url_for('main.events', selectedTerm=g.current_term))
+    
 
 @serviceLearning_bp.route('/serviceLearning/viewProposal/<courseID>', methods=['GET'])
 @serviceLearning_bp.route('/serviceLearning/editProposal/upload/<courseID>', methods=['GET'])

From 1fcba6019d18b4c5cf15a42940632b220b237323 Mon Sep 17 00:00:00 2001
From: hoerstl <hoerstl@berea.edu>
Date: Thu, 15 Jun 2023 09:39:53 -0400
Subject: [PATCH 2/3] Caught the user does not exist exception and the page
 aborts to a 403 if the user doesn't have permissions instead of redirecting
 them with a warning.

---
 app/controllers/serviceLearning/routes.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/app/controllers/serviceLearning/routes.py b/app/controllers/serviceLearning/routes.py
index cd76ca187..c5058cdb0 100644
--- a/app/controllers/serviceLearning/routes.py
+++ b/app/controllers/serviceLearning/routes.py
@@ -22,9 +22,12 @@
 @serviceLearning_bp.route('/serviceLearning/courseManagement', methods = ['GET'])
 @serviceLearning_bp.route('/serviceLearning/courseManagement/<username>', methods = ['GET'])
 def serviceCourseManagement(username=None):
-    user = User.get(User.username==username) if username else g.current_user
+    try:
+        user = User.get(User.username==username) if username else g.current_user
+    except DoesNotExist:
+        abort(404)
+
     isRequestingForSelf = g.current_user == user 
-    
     if g.current_user.isCeltsAdmin or (g.current_user.isFaculty and isRequestingForSelf):
         setRedirectTarget("/serviceLearning/courseManagement")
         courseDict = getServiceLearningCoursesData(user)
@@ -34,9 +37,8 @@ def serviceCourseManagement(username=None):
             courseDict=courseDict,
             termList=termList)
     else:
-        flash("Unauthorized to view page", 'warning')
-        return redirect(url_for('main.events', selectedTerm=g.current_term))
-    
+        abort(403)
+        
 
 @serviceLearning_bp.route('/serviceLearning/viewProposal/<courseID>', methods=['GET'])
 @serviceLearning_bp.route('/serviceLearning/editProposal/upload/<courseID>', methods=['GET'])

From 491275ba214908ded6f07265b0881d9aad7bb1b0 Mon Sep 17 00:00:00 2001
From: hoerstl <hoerstl@berea.edu>
Date: Thu, 15 Jun 2023 10:27:44 -0400
Subject: [PATCH 3/3] Fixed the behavior of the redirect target to be the page
 on our website where the user came from and not our own course management
 page.

---
 app/controllers/serviceLearning/routes.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/serviceLearning/routes.py b/app/controllers/serviceLearning/routes.py
index c5058cdb0..655bc4c67 100644
--- a/app/controllers/serviceLearning/routes.py
+++ b/app/controllers/serviceLearning/routes.py
@@ -26,10 +26,10 @@ def serviceCourseManagement(username=None):
         user = User.get(User.username==username) if username else g.current_user
     except DoesNotExist:
         abort(404)
-
+    
     isRequestingForSelf = g.current_user == user 
     if g.current_user.isCeltsAdmin or (g.current_user.isFaculty and isRequestingForSelf):
-        setRedirectTarget("/serviceLearning/courseManagement")
+        setRedirectTarget(request.full_path)
         courseDict = getServiceLearningCoursesData(user)
         termList = selectSurroundingTerms(g.current_term, prevTerms=0)
         return render_template('serviceLearning/slcManagement.html',