From da3c47c4c12c706ce0c4b39d641c3fb0521f8e2f Mon Sep 17 00:00:00 2001
From: Viktoria Wiebe <vwiebe@uni-osnabrueck.de>
Date: Tue, 15 Nov 2022 12:56:59 +0000
Subject: [PATCH] fix #1047 - add perm check for user context

Closes #1047

Merge request studip/studip!1095
---
 lib/classes/JsonApi/Routes/Courseware/Authority.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/lib/classes/JsonApi/Routes/Courseware/Authority.php b/lib/classes/JsonApi/Routes/Courseware/Authority.php
index 29bde20557e..0331be71a50 100644
--- a/lib/classes/JsonApi/Routes/Courseware/Authority.php
+++ b/lib/classes/JsonApi/Routes/Courseware/Authority.php
@@ -262,6 +262,10 @@ class Authority
 
     public static function canUpdateBlockComment(User $user, BlockComment $resource)
     {
+        if ($resource->block->container->structural_element->range_type === 'user') {
+            return $resource->block->container->structural_element->range_id === $user->id;
+        }
+
         $perm = $GLOBALS['perm']->have_studip_perm(
             $resource->block->container->structural_element->course->config->COURSEWARE_EDITING_PERMISSION,
             $resource->block->container->structural_element->course->id,
@@ -383,6 +387,10 @@ class Authority
             return true;
         }
 
+        if ($resource->structural_element->range_type === 'user') {
+            return $resource->structural_element->range_id === $user->id;
+        }
+
         $perm = $GLOBALS['perm']->have_studip_perm(
             $resource->structural_element->course->config->COURSEWARE_EDITING_PERMISSION,
             $resource->structural_element->course->id,
@@ -408,6 +416,10 @@ class Authority
             return true;
         }
 
+        if ($resource->range_type === 'user') {
+            return $resource->range_id === $user->id;
+        }
+
         $perm = $GLOBALS['perm']->have_studip_perm(
             $resource->course->config->COURSEWARE_EDITING_PERMISSION,
             $resource->course->id,
-- 
GitLab