fix #857

861a2621 · Ron Lucke · Elmar Ludwig · f276e32b · 861a2621 · 861a2621
Commit 861a2621 authored 2 years ago by Ron Lucke Committed by Elmar Ludwig 2 years ago
--- a/lib/classes/JsonApi/Routes/Courseware/BlocksCopy.php
+++ b/lib/classes/JsonApi/Routes/Courseware/BlocksCopy.php
@@ -30,8 +30,9 @@ class BlocksCopy extends NonJsonApiController
        $block = \Courseware\Block::find($data['block']['id']);
        $container = \Courseware\Container::find($data['parent_id']);
+        $user = $this->getUser($request);
-        if (!Authority::canCreateBlocks($user = $this->getUser($request), $container)) {
+        if (!Authority::canCreateBlocks($user, $container) || !Authority::canUpdateBlock($user, $block)) {
            throw new AuthorizationFailedException();
        }
@@ -58,4 +59,4 @@ class BlocksCopy extends NonJsonApiController
        //TODO update section block ids
        return true;
    }
 }
\ No newline at end of file
--- a/lib/classes/JsonApi/Routes/Courseware/ContainersCopy.php
+++ b/lib/classes/JsonApi/Routes/Courseware/ContainersCopy.php
@@ -30,7 +30,8 @@ class ContainersCopy extends NonJsonApiController
        $container = \Courseware\Container::find($data['container']['id']);
        $element = \Courseware\StructuralElement::find($data['parent_id']);
-        if (!Authority::canCreateContainer($user = $this->getUser($request), $element)) {
+        $user = $this->getUser($request);
+        if (!Authority::canCreateContainer($user, $element) || !Authority::canUpdateContainer($user, $container)) {
            throw new AuthorizationFailedException();
        }
@@ -48,4 +49,4 @@ class ContainersCopy extends NonJsonApiController
        return $container;
    }
 }
\ No newline at end of file
--- a/lib/classes/JsonApi/Routes/Courseware/StructuralElementsCopy.php
+++ b/lib/classes/JsonApi/Routes/Courseware/StructuralElementsCopy.php
@@ -28,7 +28,8 @@ class StructuralElementsCopy extends NonJsonApiController
        $sourceElement = StructuralElement::find($args['id']);
        $newParent = StructuralElement::find($data['parent_id']);
-        if (!Authority::canCreateContainer($user = $this->getUser($request), $newParent)) {
+        $user = $this->getUser($request);
+        if (!Authority::canCreateStructuralElement($user, $newParent) || !Authority::canUpdateStructuralElement($user, $sourceElement)) {
            throw new AuthorizationFailedException();
        }