From a3d5dec95aaa882fdf10f38ebf40d8b4adc08ea4 Mon Sep 17 00:00:00 2001
From: Ron Lucke <lucke@elan-ev.de>
Date: Mon, 11 Sep 2023 12:35:01 +0000
Subject: [PATCH] fix #3008

Closes #3008

Merge request studip/studip!2064
---
 lib/classes/JsonApi/Routes/Courseware/Authority.php    | 10 ++++++++--
 .../JsonApi/Routes/Courseware/ClipboardsCreate.php     |  7 ++++---
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/lib/classes/JsonApi/Routes/Courseware/Authority.php b/lib/classes/JsonApi/Routes/Courseware/Authority.php
index 36488a40634..0f837dee3da 100644
--- a/lib/classes/JsonApi/Routes/Courseware/Authority.php
+++ b/lib/classes/JsonApi/Routes/Courseware/Authority.php
@@ -529,9 +529,15 @@ class Authority
         return $GLOBALS['perm']->have_perm('root', $user->id);
     }
 
-    public static function canCreateClipboard(User $user): bool
+    public static function canCreateClipboard(User $user, $resource): bool
     {
-        return true;
+        if ($resource instanceof StructuralElement) {
+            $structural_element = $resource;
+        } else {
+            $structural_element = $resource->getStructuralElement();
+        }
+        
+        return $structural_element->canEdit($user);
     }
 
     public static function canUpdateClipboard(User $user, Clipboard $resource): bool
diff --git a/lib/classes/JsonApi/Routes/Courseware/ClipboardsCreate.php b/lib/classes/JsonApi/Routes/Courseware/ClipboardsCreate.php
index 48aa78a464f..73861f161c5 100644
--- a/lib/classes/JsonApi/Routes/Courseware/ClipboardsCreate.php
+++ b/lib/classes/JsonApi/Routes/Courseware/ClipboardsCreate.php
@@ -29,13 +29,14 @@ class ClipboardsCreate extends JsonApiController
     {
         $json = $this->validate($request);
         $user = $this->getUser($request);
-        if (!Authority::canCreateClipboard($user)) {
-            throw new AuthorizationFailedException();
-        }
         $object = $this->getObject($json);
         if (!$object) {
             throw new RecordNotFoundException();
         }
+        if (!Authority::canCreateClipboard($user, $object)) {
+            throw new AuthorizationFailedException();
+        }
+
         $clipboard = $this->createClipboard($user, $json, $object);
 
         return $this->getCreatedResponse($clipboard);
-- 
GitLab