From edc33ef9191a648bc47483b9064c8de57d4a606b Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+studip@gmail.com>
Date: Mon, 17 Jun 2024 08:21:04 +0000
Subject: [PATCH] fixes #4277

Closes #4277

Merge request studip/studip!3116
---
 .../JsonApi/Routes/Files/SubfoldersIndex.php  | 23 ++++++++++++++-----
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/lib/classes/JsonApi/Routes/Files/SubfoldersIndex.php b/lib/classes/JsonApi/Routes/Files/SubfoldersIndex.php
index e8f4d133f49..f0ad18c720a 100644
--- a/lib/classes/JsonApi/Routes/Files/SubfoldersIndex.php
+++ b/lib/classes/JsonApi/Routes/Files/SubfoldersIndex.php
@@ -19,20 +19,31 @@ class SubfoldersIndex extends JsonApiController
      */
     public function __invoke(Request $request, Response $response, $args)
     {
-        if (!$folder = \FileManager::getTypedFolder($args['id'])) {
+        $folder = \FileManager::getTypedFolder($args['id']);
+        if (!$folder) {
             throw new RecordNotFoundException();
         }
 
-        if (!Authority::canShowFolder($this->getUser($request), $folder)) {
+        $user = $this->getUser($request);
+
+        if (!Authority::canShowFolder($user, $folder)) {
             throw new AuthorizationFailedException();
         }
 
-        $subfolders = array_map(
-            function ($subfolder) {
-                return $subfolder->getTypedFolder();
+        $subfolders = array_reduce(
+            $folder->subfolders->getArrayCopy(),
+            function ($result, $subfolder) use ($user) {
+                $folder = $subfolder->getTypedFolder();
+
+                if (Authority::canShowFolder($user, $folder)) {
+                    $result[] = $folder;
+                }
+
+                return $result;
             },
-            $folder->subfolders->getArrayCopy()
+            []
         );
+
         list($offset, $limit) = $this->getOffsetAndLimit();
 
         return $this->getPaginatedContentResponse(
-- 
GitLab