fixes #4144

Closes #4144

Merge request studip/studip!2985

app/controllers/admission/courseset.php

@@ -23,7 +23,6 @@ class Admission_CoursesetController extends AuthenticatedController
     {
         parent::before_filter($action, $args);
 
-        if (!Request::isXhr()) {
         PageLayout::setTitle(_('Anmeldesets'));
         // Get only own courses if user doesn't have permission to edit institute-wide coursesets.
         $this->onlyOwnCourses = true;
@@ -34,7 +33,7 @@ class Admission_CoursesetController extends AuthenticatedController
         } else {
             throw new AccessDeniedException();
         }
-        }
+
         PageLayout::addScript('studip-admission.js');
 
         $views = new ActionsWidget();
@@ -44,6 +43,7 @@ class Admission_CoursesetController extends AuthenticatedController
             Icon::create('add')
         )->setActive($action === 'configure');
         Sidebar::Get()->addWidget($views);
+
         if (!isset($this->instant_course_set_view)) {
             $this->instant_course_set_view = false;
         }
@@ -327,16 +327,20 @@ class Admission_CoursesetController extends AuthenticatedController
      *
      * @param String $coursesetId the course set to delete
      */
-    public function delete_action($coursesetId) {
+    public function delete_action($coursesetId)
+    {
         $this->courseset = new CourseSet($coursesetId);
-        if (Request::int('really')) {
+
+        if (!$this->courseset->isUserAllowedToEdit(User::findCurrent()->id)) {
+            throw new AccessDeniedException(_('Sie dürfen diese Anmelderegel nicht löschen.'));
+        }
+
+        if (Request::bool('really')) {
             $this->courseset->delete();
-            $this->redirect($this->url_for('admission/courseset'));
         }
-        if (Request::int('cancel')) {
+
         $this->redirect($this->url_for('admission/courseset'));
     }
-    }
 
     /**
      * Fetches courses at institutes specified by a given course set, filtered by a
@@ -757,12 +761,18 @@ class Admission_CoursesetController extends AuthenticatedController
 
         $ids = Request::optionArray('ids');
         if (Request::submitted('delete')) {
+            $deleted = 0;
             foreach ($ids as $id) {
                 $courseset = new CourseSet($id);
+                if ($courseset->isUserAllowedToEdit(User::findCurrent()->id)) {
                     $courseset->delete();
+                    $deleted += 1;
+                }
             }
+            if ($deleted > 0) {
                 PageLayout::postSuccess(_('Die Anmeldesets wurden gelöscht.'));
             }
+        }
 
         $this->redirect('admission/courseset');
     }