Skip to content
Snippets Groups Projects
Commit 62ee91c9 authored by Jan-Hendrik Willms's avatar Jan-Hendrik Willms
Browse files

always allow accessing course teachers and tutors and update visibility check... 

always allow accessing course teachers and tutors and update visibility check in user model, fixes #4714

Closes #4714

Merge request studip/studip!3506
parent 26f29497
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
lib/classes/JsonApi/Routes/Courses/Authority.php
+ 11
10
View file @ 62ee91c9
...@@ -16,15 +16,16 @@ class Authority ...@@ -16,15 +16,16 @@ class Authority
public static function canShowCourse(User $user, Course $course, $scope) public static function canShowCourse(User $user, Course $course, $scope)
{ {
switch ($scope) { switch ($scope) {
case self::SCOPE_BASIC: case self::SCOPE_BASIC:
return return
// visible // visible
((int) $course->visible) || $GLOBALS['perm']->have_perm(\Config::get()->SEM_VISIBILITY_PERM) $course->visible
// member || $GLOBALS['perm']->have_perm(\Config::get()->SEM_VISIBILITY_PERM)
|| $GLOBALS['perm']->have_studip_perm('user', $course->id, $user->id); // member
|| $GLOBALS['perm']->have_studip_perm('user', $course->id, $user->id);
case self::SCOPE_EXTENDED:
return $GLOBALS['perm']->have_studip_perm('user', $course->id, $user->id); case self::SCOPE_EXTENDED:
return $GLOBALS['perm']->have_studip_perm('user', $course->id, $user->id);
} }
return false; return false;
...@@ -48,7 +49,7 @@ class Authority ...@@ -48,7 +49,7 @@ class Authority
public static function canIndexMemberships(User $user, Course $course) public static function canIndexMemberships(User $user, Course $course)
{ {
return self::canShowCourse($user, $course, self::SCOPE_EXTENDED); return self::canShowCourse($user, $course, self::SCOPE_BASIC);
} }
public static function canIndexMembershipsOfUser(User $observer, User $user) public static function canIndexMembershipsOfUser(User $observer, User $user)
......
lib/classes/JsonApi/Routes/Courses/CoursesMembershipsIndex.php
+ 28
11
View file @ 62ee91c9
...@@ -45,19 +45,36 @@ class CoursesMembershipsIndex extends JsonApiController ...@@ -45,19 +45,36 @@ class CoursesMembershipsIndex extends JsonApiController
{ {
$memberships = $course->members; $memberships = $course->members;
$visibleMemberships = Authority::canEditCourse($user, $course) // Filter by permission?
? $memberships if (isset($filters['permission'])) {
: $memberships->filter(function ($membership) use ($user) { $memberships = $memberships->filter(function (\CourseMember $membership) use ($filters) {
return $membership['user_id'] == $user->id || return $membership->status === $filters['permission'];
!in_array($membership['status'], ['autor', 'user']) ||
'no' != $membership['visible'];
}); });
}
// Filter out invisible members if not teacher
if (!Authority::canEditCourse($user, $course)) {
$memberships = $memberships->filter(function (\CourseMember $membership) use ($user) {
return $membership->user->isAccessibleToUser($user->id)
&& (
$membership->user_id === $user->id
|| $membership->visible !== 'no'
);
});
}
// Filter out students if not in course
if (!Authority::canShowCourse($user, $course, Authority::SCOPE_EXTENDED)) {
$memberships = $memberships->filter(function (\CourseMember $membership) use ($user) {
return $membership->user->isAccessibleToUser($user->id)
&& (
$membership->user_id === $user->id
|| !in_array($membership->status, ['autor', 'user'])
);
});
}
return isset($filters['permission']) return $memberships;
? $visibleMemberships->filter(function ($membership) use ($filters) {
return $membership['status'] === $filters['permission'];
})
: $visibleMemberships;
} }
private function validateFilters() private function validateFilters()
......
lib/models/User.php
+ 5
3
View file @ 62ee91c9
...@@ -1507,13 +1507,15 @@ class User extends AuthUserMd5 implements Range, PrivacyObject, Studip\Calendar\ ...@@ -1507,13 +1507,15 @@ class User extends AuthUserMd5 implements Range, PrivacyObject, Studip\Calendar\
*/ */
public function isAccessibleToUser($user_id = null) public function isAccessibleToUser($user_id = null)
{ {
// TODO: Visibility checks
if ($user_id === null) { if ($user_id === null) {
$user_id = $GLOBALS['user']->id; $user_id = self::findCurrent()->id;
} }
return $user_id === $this->user_id return $user_id === $this->user_id
|| static::find($user_id)->perms === 'root' || static::find($user_id)->perms === 'root'
|| !in_array(static::find($this->user_id)->visible, ['no', 'never']); || !in_array($this->visible, ['no', 'never'])
|| (Config::get()->getValue('USER_VISIBILITY_UNKNOWN') && $this->visible === 'unknown')
|| ($this->perms === 'dozent' && Config::get()->getValue('DOZENT_ALWAYS_VISIBLE'));
} }
/** /**
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment