Resolve #4701 "Administration/Veranstaltungs-Stundenplan kann ohne Admin Rechte aufgerufen werden"

Closes #4701 Merge request studip/studip!3495

Resolve #4701 "Administration/Veranstaltungs-Stundenplan kann ohne Admin Rechte aufgerufen werden"
802c7a67 · André Noack · 95f4b928 · 802c7a67 · 802c7a67
Commit 802c7a67 authored 5 months ago by André Noack
--- a/app/controllers/admin/courseplanning.php
+++ b/app/controllers/admin/courseplanning.php
@@ -12,10 +12,12 @@ class Admin_CourseplanningController extends AuthenticatedController
    {
        parent::before_filter($action, $args);
-        if ($GLOBALS['perm']->have_perm('admin')) {
+        if (!$GLOBALS['perm']->have_perm('admin')) {
-            Navigation::activateItem('/browse/my_courses/schedule');
+            throw new AccessDeniedException();
        }
+        Navigation::activateItem('/browse/my_courses/schedule');
        $this->insts = Institute::getMyInstitutes($GLOBALS['user']->id);
        if (empty($this->insts) && !$GLOBALS['perm']->have_perm('root')) {

--- a/lib/classes/InstituteCalendarHelper.php
+++ b/lib/classes/InstituteCalendarHelper.php
@@ -142,7 +142,7 @@ class InstituteCalendarHelper
        $df = DatafieldEntryModel::findByModel($course, self::COLUMN_DATAFIELD_ID);
        if ($df[0]) {
            $event_columns = self::getCourseEventcolumns($course);
-            if (!is_array($event_columns[$event_id])) {
+            if (isset($event_columns[$event_id]) && !is_array($event_columns[$event_id])) {
                unset($event_columns[$event_id]);
            }
            $event_columns[$event_id][$institut_id] = $column;