fix #2101

Closes #2101 Merge request studip/studip!1357

fix #2101
c321f1d4 · Ron Lucke · Elmar Ludwig · fa07240b · c321f1d4 · c321f1d4
Commit c321f1d4 authored 2 years ago by Ron Lucke Committed by Elmar Ludwig 2 years ago
--- a/lib/classes/JsonApi/Routes/Courseware/Authority.php
+++ b/lib/classes/JsonApi/Routes/Courseware/Authority.php
@@ -484,9 +484,12 @@ class Authority
        return $GLOBALS['perm']->have_perm('root', $user->id);
    }
-    public static function canCreateUnit(User $user): bool
+    public static function canCreateUnit(User $user, \Range $range): bool
    {
-        return $GLOBALS['perm']->have_perm('tutor', $user->id);
+        if ($user->id === $range->id) {
+            return true;
+        }
+        return $GLOBALS['perm']->have_studip_perm('tutor', $range->id ,$user->id);
    }
    public static function canUpdateUnit(User $user, Unit $resource): bool

--- a/lib/classes/JsonApi/Routes/Courseware/UnitsCreate.php
+++ b/lib/classes/JsonApi/Routes/Courseware/UnitsCreate.php
@@ -24,10 +24,15 @@ class UnitsCreate extends JsonApiController
    {
        $json = $this->validate($request);
        $user = $this->getUser($request);
-        if (!Authority::canCreateUnit($user)) {
+        $range = $this->getRange($json);
+        if (!$range) {
+            throw new RecordNotFoundException();
+        }
+        if (!Authority::canCreateUnit($user, $range)) {
            throw new AuthorizationFailedException();
        }
-        $struct = $this->createUnit($user, $json);
+        $struct = $this->createUnit($user, $range, $json);
        return $this->getCreatedResponse($struct);
    }
@@ -57,31 +62,33 @@ class UnitsCreate extends JsonApiController
        }
    }
-    private function validateRange($json): bool
+    private function getRange($json): ?\Range
    {
        $rangeData = self::arrayGet($json, 'data.relationships.range.data');
-        if (!in_array($rangeData['type'], ['courses','users'])) {
+        try {
-            return false;
+            return \RangeFactory::createRange(
-        }
+                $this->getRangeType($rangeData['type']),
-        if ($rangeData['type'] ===  'courses') {
+                $rangeData['id']
-            $range = \Course::find($rangeData['id']);
+            );
-        } else {
+        } catch (\Exception $e) {
-            $range = \User::find($rangeData['id']);
+            return null;
        }
+    }
+    private function validateRange($json): bool
+    {
+        $range = $this->getRange($json);
        return isset($range);
    }
-    private function createUnit(\User $user, array $json)
+    private function createUnit(\User $user, \Range $range, array $json)
    {
-        $range_id = self::arrayGet($json, 'data.relationships.range.data.id');
+        $struct = \Courseware\StructuralElement::create([
-        $range_type = self::getRangeType(self::arrayGet($json, 'data.relationships.range.data.type'));
-        $struct = \Courseware\StructuralElement::build([
            'parent_id' => null,
-            'range_id' => $range_id,
+            'range_id' => $range->getRangeId(),
-            'range_type' => $range_type,
+            'range_type' => $range->getRangeType(),
            'owner_id' => $user->id,
            'editor_id' => $user->id,
            'edit_blocker_id' => '',
@@ -91,11 +98,9 @@ class UnitsCreate extends JsonApiController
            'position' => 0
        ]);
-        $struct->store();
+        $unit = \Courseware\Unit::create([
+            'range_id' => $range->getRangeId(),
-        $unit = \Courseware\Unit::build([
+            'range_type' => $range->getRangeType(),
-            'range_id' => $range_id,
-            'range_type' => $range_type,
            'structural_element_id' => $struct->id,
            'content_type' => 'courseware',
            'creator_id' => $user->id,
@@ -104,8 +109,6 @@ class UnitsCreate extends JsonApiController
            'withdraw_date' => self::arrayGet($json, 'data.attributes.withdraw-date'),
        ]);
-        $unit->store();
        return $unit;
    }