From 861a2621e6732a95aaf8e0a9f25ba77dc22c9024 Mon Sep 17 00:00:00 2001
From: Ron Lucke <lucke@elan-ev.de>
Date: Fri, 1 Apr 2022 14:03:32 +0000
Subject: [PATCH] fix #857

---
 lib/classes/JsonApi/Routes/Courseware/BlocksCopy.php         | 5 +++--
 lib/classes/JsonApi/Routes/Courseware/ContainersCopy.php     | 5 +++--
 .../JsonApi/Routes/Courseware/StructuralElementsCopy.php     | 3 ++-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/lib/classes/JsonApi/Routes/Courseware/BlocksCopy.php b/lib/classes/JsonApi/Routes/Courseware/BlocksCopy.php
index 00bf546197b..3e34ed0e97d 100755
--- a/lib/classes/JsonApi/Routes/Courseware/BlocksCopy.php
+++ b/lib/classes/JsonApi/Routes/Courseware/BlocksCopy.php
@@ -30,8 +30,9 @@ class BlocksCopy extends NonJsonApiController
 
         $block = \Courseware\Block::find($data['block']['id']);
         $container = \Courseware\Container::find($data['parent_id']);
+        $user = $this->getUser($request);
 
-        if (!Authority::canCreateBlocks($user = $this->getUser($request), $container)) {
+        if (!Authority::canCreateBlocks($user, $container) || !Authority::canUpdateBlock($user, $block)) {
             throw new AuthorizationFailedException();
         }
 
@@ -58,4 +59,4 @@ class BlocksCopy extends NonJsonApiController
         //TODO update section block ids
         return true;
     }
-}
\ No newline at end of file
+}
diff --git a/lib/classes/JsonApi/Routes/Courseware/ContainersCopy.php b/lib/classes/JsonApi/Routes/Courseware/ContainersCopy.php
index 9cfbf9dd73f..08748399429 100755
--- a/lib/classes/JsonApi/Routes/Courseware/ContainersCopy.php
+++ b/lib/classes/JsonApi/Routes/Courseware/ContainersCopy.php
@@ -30,7 +30,8 @@ class ContainersCopy extends NonJsonApiController
 
         $container = \Courseware\Container::find($data['container']['id']);
         $element = \Courseware\StructuralElement::find($data['parent_id']);
-        if (!Authority::canCreateContainer($user = $this->getUser($request), $element)) {
+        $user = $this->getUser($request);
+        if (!Authority::canCreateContainer($user, $element) || !Authority::canUpdateContainer($user, $container)) {
             throw new AuthorizationFailedException();
         }
 
@@ -48,4 +49,4 @@ class ContainersCopy extends NonJsonApiController
 
         return $container;
     }
-}
\ No newline at end of file
+}
diff --git a/lib/classes/JsonApi/Routes/Courseware/StructuralElementsCopy.php b/lib/classes/JsonApi/Routes/Courseware/StructuralElementsCopy.php
index 5dcb6d47194..2dfee89b08f 100755
--- a/lib/classes/JsonApi/Routes/Courseware/StructuralElementsCopy.php
+++ b/lib/classes/JsonApi/Routes/Courseware/StructuralElementsCopy.php
@@ -28,7 +28,8 @@ class StructuralElementsCopy extends NonJsonApiController
 
         $sourceElement = StructuralElement::find($args['id']);
         $newParent = StructuralElement::find($data['parent_id']);
-        if (!Authority::canCreateContainer($user = $this->getUser($request), $newParent)) {
+        $user = $this->getUser($request);
+        if (!Authority::canCreateStructuralElement($user, $newParent) || !Authority::canUpdateStructuralElement($user, $sourceElement)) {
             throw new AuthorizationFailedException();
         }
 
-- 
GitLab