From 373b28b6dc7fd66fb42cc050f733d8b95ca856a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Noack?= <noack@data-quest.de>
Date: Fri, 3 Jan 2025 09:23:36 +0000
Subject: [PATCH] =?UTF-8?q?Resolve=20#5008=20"PHPLib=20-=20=C3=96ffentlich?=
 =?UTF-8?q?e=20Belegungspl=C3=A4ne=20gehen=20nicht"?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes #5008

Merge request studip/studip!3799
---
 app/controllers/resources/room_planning.php  |  6 ++++--
 app/controllers/room_management/overview.php | 13 +++++++------
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/app/controllers/resources/room_planning.php b/app/controllers/resources/room_planning.php
index 37e91930230..6d6c92249a7 100644
--- a/app/controllers/resources/room_planning.php
+++ b/app/controllers/resources/room_planning.php
@@ -22,11 +22,13 @@
  */
 class Resources_RoomPlanningController extends AuthenticatedController
 {
+    protected $allow_nobody = true;
+
     public function before_filter(&$action, &$args)
     {
         $anonymous_actions = ['booking_plan', 'anonymous_booking_plan_data'];
-        if (in_array($action, $anonymous_actions)) {
-            $this->allow_nobody = true;
+        if (!in_array($action, $anonymous_actions) && $GLOBALS['user']->id === 'nobody') {
+            throw new AccessDeniedException();
         }
         parent::before_filter($action, $args);
     }
diff --git a/app/controllers/room_management/overview.php b/app/controllers/room_management/overview.php
index e9bae539636..de50457db3e 100644
--- a/app/controllers/room_management/overview.php
+++ b/app/controllers/room_management/overview.php
@@ -26,14 +26,12 @@
  */
 class RoomManagement_OverviewController extends AuthenticatedController
 {
+    protected $allow_nobody = true;
+
     public function before_filter(&$action, &$args)
     {
-        if ($action === 'public_booking_plans') {
-            if (Config::get()->RESOURCES_SHOW_PUBLIC_ROOM_PLANS) {
-                $this->allow_nobody = true;
-            } else {
-                throw new AccessDeniedException();
-            }
+        if ($action !== 'public_booking_plans' && $GLOBALS['user']->id === 'nobody') {
+            throw new AccessDeniedException();
         }
         parent::before_filter($action, $args);
 
@@ -434,6 +432,9 @@ class RoomManagement_OverviewController extends AuthenticatedController
      */
     public function public_booking_plans_action()
     {
+        if (!Config::get()->RESOURCES_SHOW_PUBLIC_ROOM_PLANS) {
+            throw new AccessDeniedException();
+        }
         if (Navigation::hasItem('/resources/overview/public_booking_plans')) {
             Navigation::activateItem('/resources/overview/public_booking_plans');
         }
-- 
GitLab