[#11935] Fix instructors with custom permissions cannot view student list

src/main/java/teammates/common/datatransfer/InstructorPrivileges.java

@@ -446,6 +446,19 @@ public Map<String, Map<String, InstructorPermissionSet>> getSessionLevelPrivileg
         return copy;
     }
 
+    /**
+     * Returns the list of sections the instructor has the specified privilege name.
+     */
+    public Map<String, InstructorPermissionSet> getSectionsWithPrivilege(String privilegeName) {
+        Map<String, InstructorPermissionSet> copy = new LinkedHashMap<>();
+        sectionLevel.forEach((key, value) -> {
+            if (isAllowedInSectionLevel(key, privilegeName)) {
+                copy.put(key, value.getCopy());
+            }
+        });
+        return copy;
+    }
+
     @Override
     public boolean equals(Object another) {
         if (!(another instanceof InstructorPrivileges)) {

src/main/java/teammates/common/datatransfer/attributes/InstructorAttributes.java

@@ -4,8 +4,10 @@
 import java.util.ArrayList;
 import java.util.Comparator;
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
 
+import teammates.common.datatransfer.InstructorPermissionSet;
 import teammates.common.datatransfer.InstructorPrivileges;
 import teammates.common.datatransfer.InstructorPrivilegesLegacy;
 import teammates.common.util.Config;
@@ -358,6 +360,13 @@ public void setUpdatedAt(Instant updatedAt) {
         this.updatedAt = updatedAt;
     }
 
+    /**
+     * Returns a list of sections this instructor has the specified privilege.
+     */
+    public Map<String, InstructorPermissionSet> getSectionsWithPrivilege(String privilegeName) {
+        return this.privileges.getSectionsWithPrivilege(privilegeName);
+    }
+
     /**
      * Updates with {@link UpdateOptionsWithEmail}.
      */

src/main/java/teammates/ui/webapi/GateKeeper.java

@@ -108,7 +108,10 @@ void verifyAccessible(InstructorAttributes instructor, CourseAttributes course,
                                                   + instructor.getEmail() + "]");
         }
 
-        if (!instructor.isAllowedForPrivilege(privilegeName)) {
+        boolean instructorIsAllowedCoursePrivilege = instructor.isAllowedForPrivilege(privilegeName);
+        boolean instructorIsAllowedSectionPrivilege =
+                instructor.getSectionsWithPrivilege(privilegeName).size() != 0;
+        if (!instructorIsAllowedCoursePrivilege && !instructorIsAllowedSectionPrivilege) {
             throw new UnauthorizedAccessException("Course [" + course.getId() + "] is not accessible to instructor ["
                                                   + instructor.getEmail() + "] for privilege [" + privilegeName + "]");
         }

src/main/java/teammates/ui/webapi/GetStudentsAction.java

@@ -1,6 +1,8 @@
 package teammates.ui.webapi;
 
+import java.util.LinkedList;
 import java.util.List;
+import java.util.Set;
 
 import teammates.common.datatransfer.attributes.InstructorAttributes;
 import teammates.common.datatransfer.attributes.StudentAttributes;
@@ -40,19 +42,34 @@ void checkSpecificAccessControl() throws UnauthorizedAccessException {
     public JsonResult execute() {
         String courseId = getNonNullRequestParamValue(Const.ParamsNames.COURSE_ID);
         String teamName = getRequestParamValue(Const.ParamsNames.TEAM_NAME);
+        InstructorAttributes instructor = logic.getInstructorForGoogleId(courseId, userInfo.id);
+        String privilegeName = Const.InstructorPermissions.CAN_VIEW_STUDENT_IN_SECTIONS;
+        boolean hasCoursePrivilege = instructor != null
+                && instructor.isAllowedForPrivilege(privilegeName);
+        boolean hasSectionPrivilege = instructor != null
+                && instructor.getSectionsWithPrivilege(privilegeName).size() != 0;
 
-        if (teamName == null) {
-            // request to get all students of a course by instructor
+        if (teamName == null && hasCoursePrivilege) {
+            // request to get all course students by instructor with course privilege
             List<StudentAttributes> studentsForCourse = logic.getStudentsForCourse(courseId);
             return new JsonResult(new StudentsData(studentsForCourse));
+        } else if (teamName == null && hasSectionPrivilege) {
+            // request to get students by instructor with section privilege
+            List<StudentAttributes> studentsForCourse = logic.getStudentsForCourse(courseId);
+            List<StudentAttributes> studentsToReturn = new LinkedList<>();
+            Set<String> sectionsWithViewPrivileges = instructor.getSectionsWithPrivilege(privilegeName).keySet();
+            studentsForCourse.forEach(student -> {
+                if (sectionsWithViewPrivileges.contains(student.getSection())) {
+                    studentsToReturn.add(student);
+                }
+            });
+            return new JsonResult(new StudentsData(studentsToReturn));
         } else {
             // request to get team members by current student
             List<StudentAttributes> studentsForTeam = logic.getStudentsForTeam(teamName, courseId);
             StudentsData studentsData = new StudentsData(studentsForTeam);
             studentsData.getStudents().forEach(StudentData::hideInformationForStudent);
             return new JsonResult(studentsData);
         }
-
     }
-
 }