fix #3008

Closes #3008 Merge request studip/studip!2064

fix #3008
a3d5dec9 · Ron Lucke · Elmar Ludwig · ba199253 · a3d5dec9 · a3d5dec9
Commit a3d5dec9 authored 1 year ago by Ron Lucke Committed by Elmar Ludwig 1 year ago
--- a/lib/classes/JsonApi/Routes/Courseware/Authority.php
+++ b/lib/classes/JsonApi/Routes/Courseware/Authority.php
@@ -529,9 +529,15 @@ class Authority
        return $GLOBALS['perm']->have_perm('root', $user->id);
    }
-    public static function canCreateClipboard(User $user): bool
+    public static function canCreateClipboard(User $user, $resource): bool
    {
-        return true;
+        if ($resource instanceof StructuralElement) {
+            $structural_element = $resource;
+        } else {
+            $structural_element = $resource->getStructuralElement();
+        }
+        return $structural_element->canEdit($user);
    }
    public static function canUpdateClipboard(User $user, Clipboard $resource): bool

--- a/lib/classes/JsonApi/Routes/Courseware/ClipboardsCreate.php
+++ b/lib/classes/JsonApi/Routes/Courseware/ClipboardsCreate.php
@@ -29,13 +29,14 @@ class ClipboardsCreate extends JsonApiController
    {
        $json = $this->validate($request);
        $user = $this->getUser($request);
-        if (!Authority::canCreateClipboard($user)) {
-            throw new AuthorizationFailedException();
-        }
        $object = $this->getObject($json);
        if (!$object) {
            throw new RecordNotFoundException();
        }
+        if (!Authority::canCreateClipboard($user, $object)) {
+            throw new AuthorizationFailedException();
+        }
        $clipboard = $this->createClipboard($user, $json, $object);
        return $this->getCreatedResponse($clipboard);