From 078e1aa0f8f7d289415f2c8c95ad555828dbaca5 Mon Sep 17 00:00:00 2001
From: Rasmus Fuhse <fuhse@data-quest.de>
Date: Mon, 28 Aug 2023 13:54:45 +0000
Subject: [PATCH] Resolve "OER Campus API kann immer aufgerufen werden"

Closes #3012

Merge request studip/studip!2089
---
 app/controllers/oer/endpoints.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/app/controllers/oer/endpoints.php b/app/controllers/oer/endpoints.php
index 8eb286fad1c..70b8e5cd916 100644
--- a/app/controllers/oer/endpoints.php
+++ b/app/controllers/oer/endpoints.php
@@ -5,6 +5,20 @@ class Oer_EndpointsController extends StudipController
 
     protected $with_session = true;  //we do need to have a session for this controller
 
+    public function before_filter(&$action, &$args)
+    {
+        parent::before_filter($action, $args);
+        if (
+            !Config::get()->OERCAMPUS_ENABLED
+            || (
+                Config::get()->OER_PUBLIC_STATUS !== 'nobody'
+                && !$GLOBALS['perm']->have_perm(Config::get()->OER_PUBLIC_STATUS)
+            )
+        ) {
+            throw new AccessDeniedException();
+        }
+    }
+
     public function index_action()
     {
         $this->controllerreflection = new ReflectionClass($this);
-- 
GitLab