Improves admin and course-based permission checks

[happylittle7]

Overview

• Refines permission logic to clearly distinguish admin users from regular users, allowing admins to manage all items regardless of course affiliation.
• Ensures that permission checks consistently validate the existence of the target item before granting access.
• Standardizes API response formatting for improved readability and maintainability.

Rationale

These updates help prevent unauthorized access and possible errors by ensuring only users with appropriate privileges can perform sensitive actions. The changes also improve code clarity, making future updates to permission logic easier and less error-prone.

Relates to improved security and code maintainability.

[Copilot]

Pull request overview

This PR refines permission logic in the copycat views to clearly distinguish admin users from regular course-based users. Admins with elevated privileges can now manage plagiarism checks for all problems regardless of course affiliation, while regular users must still be teachers or TAs of the problem's associated course. The changes also standardize API response formatting for improved code consistency.

Key Changes

• Added admin privilege checks allowing superusers, staff, and admin-identity users to access all problems
• Refactored api_response function for better readability with multi-line formatting
• Updated permission check logic to validate problem existence for both admin and non-admin users

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

There's inconsistent handling of admin permissions. The code checks three different attributes for admin status (is_superuser, is_staff, and identity == 'admin'), but the logic treats them all as equivalent. Consider consolidating this into a single method or property on the User model to avoid having to repeat this complex boolean expression throughout the codebase. This would improve maintainability and reduce the risk of inconsistently checking admin status in different parts of the application.

[Copilot]

The new admin permission logic introduced in this PR lacks test coverage. There are no tests verifying that admins (users with is_superuser, is_staff, or identity='admin') can access problems across all courses, nor tests ensuring the problem existence check works correctly for admin users. Consider adding test cases for admin users to verify they can operate on problems regardless of course affiliation, and that they receive appropriate errors when problems don't exist.

[Copilot]

The removal of the if data is None: data = {} line causes a bug. When api_response is called with data=None (which happens in several places in this file, e.g., line 86, 93, 140, 146), the response will include "data": null instead of "data": {}. This changes the API response format and may break clients expecting an empty object rather than null.

[Copilot]

The admin permission check should verify that the problem exists before allowing admin access. Currently, there's a race condition: admins bypass the course-based permission checks at lines 48-72, but the problem existence check at lines 43-44 occurs after the admin privileges are already confirmed. If a malicious admin attempts to access a problem between deletion and this check, unexpected behavior could occur. Consider moving the problem existence check before the admin privilege evaluation to fail fast on non-existent problems.