From 802c7a675469ab680f1fa58132c54f15b6cb4a0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Noack?= <noack@data-quest.de>
Date: Tue, 15 Oct 2024 14:33:43 +0000
Subject: [PATCH] Resolve #4701 "Administration/Veranstaltungs-Stundenplan kann
ohne Admin Rechte aufgerufen werden"
Closes #4701
Merge request studip/studip!3495
---
app/controllers/admin/courseplanning.php | 6 ++++--
lib/classes/InstituteCalendarHelper.php | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/app/controllers/admin/courseplanning.php b/app/controllers/admin/courseplanning.php
index 44b372db7a3..be411338668 100644
--- a/app/controllers/admin/courseplanning.php
+++ b/app/controllers/admin/courseplanning.php
@@ -12,10 +12,12 @@ class Admin_CourseplanningController extends AuthenticatedController
{
parent::before_filter($action, $args);
- if ($GLOBALS['perm']->have_perm('admin')) {
- Navigation::activateItem('/browse/my_courses/schedule');
+ if (!$GLOBALS['perm']->have_perm('admin')) {
+ throw new AccessDeniedException();
}
+ Navigation::activateItem('/browse/my_courses/schedule');
+
$this->insts = Institute::getMyInstitutes($GLOBALS['user']->id);
if (empty($this->insts) && !$GLOBALS['perm']->have_perm('root')) {
diff --git a/lib/classes/InstituteCalendarHelper.php b/lib/classes/InstituteCalendarHelper.php
index 95e9e8d5ad6..343bc765b0e 100644
--- a/lib/classes/InstituteCalendarHelper.php
+++ b/lib/classes/InstituteCalendarHelper.php
@@ -142,7 +142,7 @@ class InstituteCalendarHelper
$df = DatafieldEntryModel::findByModel($course, self::COLUMN_DATAFIELD_ID);
if ($df[0]) {
$event_columns = self::getCourseEventcolumns($course);
- if (!is_array($event_columns[$event_id])) {
+ if (isset($event_columns[$event_id]) && !is_array($event_columns[$event_id])) {
unset($event_columns[$event_id]);
}
$event_columns[$event_id][$institut_id] = $column;
--
GitLab