From c321f1d4767b3d3e8a35c96bef7e06a28491c2a9 Mon Sep 17 00:00:00 2001
From: Ron Lucke <lucke@elan-ev.de>
Date: Tue, 21 Feb 2023 15:22:07 +0000
Subject: [PATCH] fix #2101
Closes #2101
Merge request studip/studip!1357
---
.../JsonApi/Routes/Courseware/Authority.php | 7 ++-
.../JsonApi/Routes/Courseware/UnitsCreate.php | 51 ++++++++++---------
2 files changed, 32 insertions(+), 26 deletions(-)
diff --git a/lib/classes/JsonApi/Routes/Courseware/Authority.php b/lib/classes/JsonApi/Routes/Courseware/Authority.php
index da1724af36b..740364b6a13 100644
--- a/lib/classes/JsonApi/Routes/Courseware/Authority.php
+++ b/lib/classes/JsonApi/Routes/Courseware/Authority.php
@@ -484,9 +484,12 @@ class Authority
return $GLOBALS['perm']->have_perm('root', $user->id);
}
- public static function canCreateUnit(User $user): bool
+ public static function canCreateUnit(User $user, \Range $range): bool
{
- return $GLOBALS['perm']->have_perm('tutor', $user->id);
+ if ($user->id === $range->id) {
+ return true;
+ }
+ return $GLOBALS['perm']->have_studip_perm('tutor', $range->id ,$user->id);
}
public static function canUpdateUnit(User $user, Unit $resource): bool
diff --git a/lib/classes/JsonApi/Routes/Courseware/UnitsCreate.php b/lib/classes/JsonApi/Routes/Courseware/UnitsCreate.php
index a96f160fd02..c10961984d4 100644
--- a/lib/classes/JsonApi/Routes/Courseware/UnitsCreate.php
+++ b/lib/classes/JsonApi/Routes/Courseware/UnitsCreate.php
@@ -24,10 +24,15 @@ class UnitsCreate extends JsonApiController
{
$json = $this->validate($request);
$user = $this->getUser($request);
- if (!Authority::canCreateUnit($user)) {
+ $range = $this->getRange($json);
+
+ if (!$range) {
+ throw new RecordNotFoundException();
+ }
+ if (!Authority::canCreateUnit($user, $range)) {
throw new AuthorizationFailedException();
}
- $struct = $this->createUnit($user, $json);
+ $struct = $this->createUnit($user, $range, $json);
return $this->getCreatedResponse($struct);
}
@@ -57,31 +62,33 @@ class UnitsCreate extends JsonApiController
}
}
- private function validateRange($json): bool
+ private function getRange($json): ?\Range
{
$rangeData = self::arrayGet($json, 'data.relationships.range.data');
- if (!in_array($rangeData['type'], ['courses','users'])) {
- return false;
- }
- if ($rangeData['type'] === 'courses') {
- $range = \Course::find($rangeData['id']);
- } else {
- $range = \User::find($rangeData['id']);
+ try {
+ return \RangeFactory::createRange(
+ $this->getRangeType($rangeData['type']),
+ $rangeData['id']
+ );
+ } catch (\Exception $e) {
+ return null;
}
+ }
+
+ private function validateRange($json): bool
+ {
+ $range = $this->getRange($json);
return isset($range);
}
- private function createUnit(\User $user, array $json)
+ private function createUnit(\User $user, \Range $range, array $json)
{
- $range_id = self::arrayGet($json, 'data.relationships.range.data.id');
- $range_type = self::getRangeType(self::arrayGet($json, 'data.relationships.range.data.type'));
-
- $struct = \Courseware\StructuralElement::build([
+ $struct = \Courseware\StructuralElement::create([
'parent_id' => null,
- 'range_id' => $range_id,
- 'range_type' => $range_type,
+ 'range_id' => $range->getRangeId(),
+ 'range_type' => $range->getRangeType(),
'owner_id' => $user->id,
'editor_id' => $user->id,
'edit_blocker_id' => '',
@@ -91,11 +98,9 @@ class UnitsCreate extends JsonApiController
'position' => 0
]);
- $struct->store();
-
- $unit = \Courseware\Unit::build([
- 'range_id' => $range_id,
- 'range_type' => $range_type,
+ $unit = \Courseware\Unit::create([
+ 'range_id' => $range->getRangeId(),
+ 'range_type' => $range->getRangeType(),
'structural_element_id' => $struct->id,
'content_type' => 'courseware',
'creator_id' => $user->id,
@@ -104,8 +109,6 @@ class UnitsCreate extends JsonApiController
'withdraw_date' => self::arrayGet($json, 'data.attributes.withdraw-date'),
]);
- $unit->store();
-
return $unit;
}
--
GitLab