From 327bac3d6030f06dc5cba08b47d545cf84bbd5a9 Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+studip@gmail.com>
Date: Wed, 11 Jan 2023 10:05:08 +0000
Subject: [PATCH] check all valid include paths, fixes #2003

Closes #2003

Merge request studip/studip!1302
---
 .../JsonApi/Schemas/SchemaProvider.php        | 21 ++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/lib/classes/JsonApi/Schemas/SchemaProvider.php b/lib/classes/JsonApi/Schemas/SchemaProvider.php
index c45c98168d2..de5f44d9da6 100644
--- a/lib/classes/JsonApi/Schemas/SchemaProvider.php
+++ b/lib/classes/JsonApi/Schemas/SchemaProvider.php
@@ -70,6 +70,25 @@ abstract class SchemaProvider extends BaseSchema
     {
         $path = $context->getPosition()->getLevel() ? $context->getPosition()->getPath() . '.' : '';
 
-        return in_array($path . $key, $context->getIncludePaths());
+        return in_array($path . $key, $this->getAllowedAncludePaths($context));
+    }
+
+    /**
+     * @param ContextInterface $context
+     * @return array
+     */
+    public function getAllowedAncludePaths(ContextInterface $context): array
+    {
+        $allowedIncludePaths = [];
+
+        foreach ($context->getIncludePaths() as $path) {
+            $carry = '';
+            foreach (explode('.', $path) as $p) {
+                $allowedIncludePaths[] = $carry . $p;
+                $carry .= "{$p}.";
+            }
+        }
+
+        return $allowedIncludePaths;
     }
 }
-- 
GitLab