From fc110b22d1dfe3019c764eee8e9184431752d5d1 Mon Sep 17 00:00:00 2001
From: Marcus Eibrink-Lunzenauer <lunzenauer@elan-ev.de>
Date: Fri, 15 Sep 2023 13:32:25 +0200
Subject: [PATCH] Use original policies to access feedback elements and
 entries.

---
 .../JsonApi/Routes/Feedback/Authority.php     | 39 +++++--------------
 lib/models/FeedbackEntry.php                  | 11 +++---
 2 files changed, 15 insertions(+), 35 deletions(-)

diff --git a/lib/classes/JsonApi/Routes/Feedback/Authority.php b/lib/classes/JsonApi/Routes/Feedback/Authority.php
index 683f1ae96d6..04d6ad1e85e 100644
--- a/lib/classes/JsonApi/Routes/Feedback/Authority.php
+++ b/lib/classes/JsonApi/Routes/Feedback/Authority.php
@@ -53,54 +53,33 @@ class Authority
         return self::canShowFeedbackElement($user, $feedbackElement);
     }
 
-    /**
-     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
-     */
     public static function canCreateFeedbackEntry(User $user, FeedbackElement $element): bool
     {
-        if (!$element->isFeedbackable()) {
-            return false;
-        }
-
-        // TODO: Wann darf ich Feedback Entries schreiben
-        return true;
+        return $element->isFeedbackable($user->getId());
     }
 
-    /**
-     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
-     */
     public static function canUpdateFeedbackEntry(User $user, FeedbackEntry $entry): bool
     {
-        if (!$entry->isEditable()) {
-            return false;
-        }
-
-        // TODO: Wann darf ich Feedback Entries bearbeiten
-        return true;
+        return $entry->isEditable($user->getId());
     }
 
     public static function canDeleteFeedbackEntry(User $user, FeedbackEntry $entry): bool
     {
-        return self::canUpdateFeedbackEntry($user, $entry);
+        return $entry->isDeletable($user->getId());
     }
 
-    /**
-     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
-     */
     public static function canCreateFeedbackElement(User $user, FeedbackRange $range): bool
     {
-        // TODO: Wann darf ich Feedback Elemente anhängen
-        // bisher https://gitlab.studip.de/studip/studip/-/blob/main/lib/classes/Feedback.class.php#L76
-        return true;
+        return $range->isRangeAccessible($user->getId()) &&
+            Feedback::hasCreatePerm($range->getRangeCourseId(), $user->getId());
     }
 
-    /**
-     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
-     */
     public static function canUpdateFeedbackElement(User $user, FeedbackElement $element): bool
     {
-        // TODO: Wann darf ich Feedback Elemente ändern?
-        return true;
+        $range = $element->getRange();
+
+        return $range->isRangeAccessible($user->getId()) &&
+            Feedback::hasAdminPerm($range->getRangeCourseId(), $user->getId());
     }
 
     public static function canDeleteFeedbackElement(User $user, FeedbackElement $element): bool
diff --git a/lib/models/FeedbackEntry.php b/lib/models/FeedbackEntry.php
index 4b4ea7c3564..293ee20e951 100644
--- a/lib/models/FeedbackEntry.php
+++ b/lib/models/FeedbackEntry.php
@@ -33,16 +33,17 @@ class FeedbackEntry extends SimpleORMap
         parent::configure($config);
     }
 
-    public function isEditable()
+    public function isEditable(string $user_id = null): bool
     {
-        return $this->user_id === $GLOBALS['user']->id;
+        $user_id = $user_id ?? $GLOBALS['user']->getId();
+
+        return $this->user_id === $user_id;
     }
 
-    public function isDeletable()
+    public function isDeletable(string $user_id = null): bool
     {
         $deletable = false;
-
-        $user_id = $GLOBALS['user']->id;
+        $user_id = $user_id ?? $GLOBALS['user']->getId();
 
         if ($this->user_id == $user_id) {
             $deletable = true;
-- 
GitLab