fix #1047 - add perm check for user context

Closes #1047 Merge request studip/studip!1095

fix #1047 - add perm check for user context
da3c47c4 · Viktoria Wiebe · David Siegfried · 99cce644 · da3c47c4
Commit da3c47c4 authored 2 years ago by Viktoria Wiebe Committed by David Siegfried 2 years ago
--- a/lib/classes/JsonApi/Routes/Courseware/Authority.php
+++ b/lib/classes/JsonApi/Routes/Courseware/Authority.php
@@ -262,6 +262,10 @@ class Authority
    public static function canUpdateBlockComment(User $user, BlockComment $resource)
    {
+        if ($resource->block->container->structural_element->range_type === 'user') {
+            return $resource->block->container->structural_element->range_id === $user->id;
+        }
        $perm = $GLOBALS['perm']->have_studip_perm(
            $resource->block->container->structural_element->course->config->COURSEWARE_EDITING_PERMISSION,
            $resource->block->container->structural_element->course->id,
@@ -383,6 +387,10 @@ class Authority
            return true;
        }
+        if ($resource->structural_element->range_type === 'user') {
+            return $resource->structural_element->range_id === $user->id;
+        }
        $perm = $GLOBALS['perm']->have_studip_perm(
            $resource->structural_element->course->config->COURSEWARE_EDITING_PERMISSION,
            $resource->structural_element->course->id,
@@ -408,6 +416,10 @@ class Authority
            return true;
        }
+        if ($resource->range_type === 'user') {
+            return $resource->range_id === $user->id;
+        }
        $perm = $GLOBALS['perm']->have_studip_perm(
            $resource->course->config->COURSEWARE_EDITING_PERMISSION,
            $resource->course->id,