From 8dfbd0f4550cc37a89d7f9b2fefecc867b63756d Mon Sep 17 00:00:00 2001
From: Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de>
Date: Mon, 8 Aug 2022 07:13:21 +0000
Subject: [PATCH] fix permission check, fixes #1349

Closes #1349

Merge request studip/studip!868
---
 app/controllers/course/members.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/app/controllers/course/members.php b/app/controllers/course/members.php
index a3653160da8..4e6afdc44f5 100644
--- a/app/controllers/course/members.php
+++ b/app/controllers/course/members.php
@@ -1820,8 +1820,7 @@ class Course_MembersController extends AuthenticatedController
 
     public function circular_mail_action()
     {
-        if (!$this->is_tutor ||
-            ($this->config->COURSE_STUDENT_MAILING && !$this->is_autor)) {
+        if (!$this->is_tutor && !$this->config->COURSE_STUDENT_MAILING) {
             throw new AccessDeniedException();
         }
 
-- 
GitLab