ensure the user may create a booking for a slot, fixes #1883

Closes #1883

Merge request studip/studip!1246

lib/classes/JsonApi/Routes/Consultations/Authority.php

@@ -44,6 +44,15 @@ final class Authority
         );
     }
 
+    public static function canBookSlotForUser(\User $user, \ConsultationSlot $slot, \User $booking_user): bool
+    {
+        if ($user->id !== $booking_user->id && !self::canEditSlot($user, $slot)) {
+            return false;
+        }
+
+        return self::canBookSlot($booking_user, $slot);
+    }
+
     public static function canShowBooking(\User $user, \ConsultationBooking $booking): bool
     {
         return self::canShowSlot($user, $booking->slot)

lib/classes/JsonApi/Routes/Consultations/BookingsCreate.php

@@ -19,9 +19,10 @@ class BookingsCreate extends JsonApiController
         $json = $this->validate($request, $args);
 
         $slot = $this->getBookingSlot($json, $args);
+        $user = $this->getUser($request);
         $booking_user = $this->getBookingUser($json);
 
-        if (!Authority::canBookSlot($booking_user, $slot)) {
+        if (!Authority::canBookSlotForUser($user, $slot, $booking_user)) {
             throw new AuthorizationFailedException();
         }
 

tests/jsonapi/ConsultationsBookingCreateBySlotIndexTest.php

@@ -6,7 +6,6 @@ use WoohooLabs\Yang\JsonApi\Response\JsonApiResponse;
 
 require_once __DIR__ . '/ConsultationHelper.php';
 
-// TODO: Test locked blocks
 class ConsultationsBookingCreateBySlotIndexTest extends Codeception\Test\Unit
 {
     use ConsultationHelper;