From 2148d6dd2da37e5f4e7982d91179df8766c6a36e Mon Sep 17 00:00:00 2001
From: Moritz Strohm <strohm@data-quest.de>
Date: Wed, 22 Sep 2021 16:57:51 +0200
Subject: [PATCH] ResourceBooking::convertToEventData: check course visibility
 and user access before using course title

---
 lib/models/resources/ResourceBooking.class.php | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/models/resources/ResourceBooking.class.php b/lib/models/resources/ResourceBooking.class.php
index 8c82b358923..0d1874b320e 100644
--- a/lib/models/resources/ResourceBooking.class.php
+++ b/lib/models/resources/ResourceBooking.class.php
@@ -1685,6 +1685,8 @@ class ResourceBooking extends SimpleORMap implements PrivacyObject, Studip\Calen
                     $booking_view_urls
                 );
             }
+
+            $event_title = '';
             $prefix = '';
             $icon = '';
 
@@ -1703,7 +1705,17 @@ class ResourceBooking extends SimpleORMap implements PrivacyObject, Studip\Calen
                 $icon = 'refresh';
             }
 
-            $event_title = $prefix . $this->getAssignedUserName();
+            if ($this->assigned_course_date instanceof CourseDate) {
+                $course = $this->assigned_course_date->course;
+                if ($course instanceof Course) {
+                    $has_perms = $GLOBALS['perm']->have_studip_perm('user', $course->id, $user->id);
+                    if ($has_perms || $course->visible) {
+                        $event_title = $prefix . $this->getAssignedUserName();
+                    }
+                }
+            } else {
+                $event_title = $prefix . $this->getAssignedUserName();
+            }
 
             $interval_api_urls = $booking_api_urls;
             if ($booking_is_editable) {
-- 
GitLab