From 48dcb4995d9bc465a3e7a21c7bc23f6138c4952a Mon Sep 17 00:00:00 2001
From: Ron Lucke <lucke@elan-ev.de>
Date: Wed, 9 Aug 2023 16:38:25 +0000
Subject: [PATCH] fix #2844

Closes #2844

Merge request studip/studip!2006
---
 lib/classes/JsonApi/Routes/Courseware/Authority.php        | 4 ++++
 lib/classes/JsonApi/Routes/Courseware/ClipboardsInsert.php | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/lib/classes/JsonApi/Routes/Courseware/Authority.php b/lib/classes/JsonApi/Routes/Courseware/Authority.php
index 9fb281005b5..36488a40634 100644
--- a/lib/classes/JsonApi/Routes/Courseware/Authority.php
+++ b/lib/classes/JsonApi/Routes/Courseware/Authority.php
@@ -549,5 +549,9 @@ class Authority
         return self::canIndexClipboardsOfAUser($request_user, $user);
     }
 
+    public static function canInsertFromClipboard(User $user, Clipboard $resource)
+    {
+        return $resource->user_id === $user->id;
+    }
 
 }
diff --git a/lib/classes/JsonApi/Routes/Courseware/ClipboardsInsert.php b/lib/classes/JsonApi/Routes/Courseware/ClipboardsInsert.php
index 5f5f7d07905..4fafc4c22c5 100644
--- a/lib/classes/JsonApi/Routes/Courseware/ClipboardsInsert.php
+++ b/lib/classes/JsonApi/Routes/Courseware/ClipboardsInsert.php
@@ -35,6 +35,11 @@ class ClipboardsInsert extends NonJsonApiController
         }
 
         $user = $this->getUser($request);
+
+        if (!Authority::canInsertFromClipboard($user, $clipboard)) {
+            throw new AuthorizationFailedException();
+        }
+
         $backup = json_decode($clipboard->backup);
 
         if ($clipboard->object_type === 'courseware-blocks') {
-- 
GitLab