fix #1047 - add perm check for user context

Closes #1047

Merge request studip/studip!1095

lib/classes/JsonApi/Routes/Courseware/Authority.php

@@ -249,6 +249,10 @@ class Authority
 
     public static function canUpdateBlockComment(User $user, BlockComment $resource)
     {
+        if ($resource->block->container->structural_element->range_type === 'user') {
+            return $resource->block->container->structural_element->range_id === $user->id;
+        }
+
         $perm = $GLOBALS['perm']->have_studip_perm(
             $resource->block->container->structural_element->course->config->COURSEWARE_EDITING_PERMISSION,
             $resource->block->container->structural_element->course->id,
@@ -370,6 +374,10 @@ class Authority
             return true;
         }
 
+        if ($resource->structural_element->range_type === 'user') {
+            return $resource->structural_element->range_id === $user->id;
+        }
+
         $perm = $GLOBALS['perm']->have_studip_perm(
             $resource->structural_element->course->config->COURSEWARE_EDITING_PERMISSION,
             $resource->structural_element->course->id,
@@ -395,6 +403,10 @@ class Authority
             return true;
         }
 
+        if ($resource->range_type === 'user') {
+            return $resource->range_id === $user->id;
+        }
+
         $perm = $GLOBALS['perm']->have_studip_perm(
             $resource->course->config->COURSEWARE_EDITING_PERMISSION,
             $resource->course->id,