From 4333e038692f5d422125b76a56b7540f0d5f34fc Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+studip@gmail.com>
Date: Thu, 15 Dec 2022 13:13:15 +0000
Subject: [PATCH] ensure the user may create a booking for a slot, fixes #1883

Closes #1883

Merge request studip/studip!1246
---
 lib/classes/JsonApi/Routes/Consultations/Authority.php   | 9 +++++++++
 .../JsonApi/Routes/Consultations/BookingsCreate.php      | 3 ++-
 .../ConsultationsBookingCreateBySlotIndexTest.php        | 1 -
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/lib/classes/JsonApi/Routes/Consultations/Authority.php b/lib/classes/JsonApi/Routes/Consultations/Authority.php
index d3022a13820..90ce3dad31e 100644
--- a/lib/classes/JsonApi/Routes/Consultations/Authority.php
+++ b/lib/classes/JsonApi/Routes/Consultations/Authority.php
@@ -44,6 +44,15 @@ final class Authority
         );
     }
 
+    public static function canBookSlotForUser(\User $user, \ConsultationSlot $slot, \User $booking_user): bool
+    {
+        if ($user->id !== $booking_user->id && !self::canEditSlot($user, $slot)) {
+            return false;
+        }
+
+        return self::canBookSlot($booking_user, $slot);
+    }
+
     public static function canShowBooking(\User $user, \ConsultationBooking $booking): bool
     {
         return self::canShowSlot($user, $booking->slot)
diff --git a/lib/classes/JsonApi/Routes/Consultations/BookingsCreate.php b/lib/classes/JsonApi/Routes/Consultations/BookingsCreate.php
index dd3566187d0..d041f954e82 100644
--- a/lib/classes/JsonApi/Routes/Consultations/BookingsCreate.php
+++ b/lib/classes/JsonApi/Routes/Consultations/BookingsCreate.php
@@ -19,9 +19,10 @@ class BookingsCreate extends JsonApiController
         $json = $this->validate($request, $args);
 
         $slot = $this->getBookingSlot($json, $args);
+        $user = $this->getUser($request);
         $booking_user = $this->getBookingUser($json);
 
-        if (!Authority::canBookSlot($booking_user, $slot)) {
+        if (!Authority::canBookSlotForUser($user, $slot, $booking_user)) {
             throw new AuthorizationFailedException();
         }
 
diff --git a/tests/jsonapi/ConsultationsBookingCreateBySlotIndexTest.php b/tests/jsonapi/ConsultationsBookingCreateBySlotIndexTest.php
index 590343ddd59..3f33de4ae30 100644
--- a/tests/jsonapi/ConsultationsBookingCreateBySlotIndexTest.php
+++ b/tests/jsonapi/ConsultationsBookingCreateBySlotIndexTest.php
@@ -6,7 +6,6 @@ use WoohooLabs\Yang\JsonApi\Response\JsonApiResponse;
 
 require_once __DIR__ . '/ConsultationHelper.php';
 
-// TODO: Test locked blocks
 class ConsultationsBookingCreateBySlotIndexTest extends Codeception\Test\Unit
 {
     use ConsultationHelper;
-- 
GitLab