From bd23049f4e399d57f6c97c1657af7201a913b9d1 Mon Sep 17 00:00:00 2001
From: Viktoria Wiebe <vwiebe@uni-osnabrueck.de>
Date: Tue, 15 Nov 2022 12:56:59 +0000
Subject: [PATCH] fix #1047 - add perm check for user context

Closes #1047

Merge request studip/studip!1095
---
 lib/classes/JsonApi/Routes/Courseware/Authority.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/lib/classes/JsonApi/Routes/Courseware/Authority.php b/lib/classes/JsonApi/Routes/Courseware/Authority.php
index aa61d0ab778..973869ad420 100755
--- a/lib/classes/JsonApi/Routes/Courseware/Authority.php
+++ b/lib/classes/JsonApi/Routes/Courseware/Authority.php
@@ -249,6 +249,10 @@ class Authority
 
     public static function canUpdateBlockComment(User $user, BlockComment $resource)
     {
+        if ($resource->block->container->structural_element->range_type === 'user') {
+            return $resource->block->container->structural_element->range_id === $user->id;
+        }
+
         $perm = $GLOBALS['perm']->have_studip_perm(
             $resource->block->container->structural_element->course->config->COURSEWARE_EDITING_PERMISSION,
             $resource->block->container->structural_element->course->id,
@@ -370,6 +374,10 @@ class Authority
             return true;
         }
 
+        if ($resource->structural_element->range_type === 'user') {
+            return $resource->structural_element->range_id === $user->id;
+        }
+
         $perm = $GLOBALS['perm']->have_studip_perm(
             $resource->structural_element->course->config->COURSEWARE_EDITING_PERMISSION,
             $resource->structural_element->course->id,
@@ -395,6 +403,10 @@ class Authority
             return true;
         }
 
+        if ($resource->range_type === 'user') {
+            return $resource->range_id === $user->id;
+        }
+
         $perm = $GLOBALS['perm']->have_studip_perm(
             $resource->course->config->COURSEWARE_EDITING_PERMISSION,
             $resource->course->id,
-- 
GitLab