add missing permission check, fixes #273

controllers/admin.php

@@ -146,10 +146,13 @@ class AdminController extends StudipController
         Navigation::activateItem('/course/vips/solutions');
         PageLayout::setHelpKeyword('Basis.VipsErgebnisse');
 
+        $course_id = Context::getId();
+        vips_require_status('tutor', $course_id);
+
         $grades = ['1,0', '1,3', '1,7', '2,0', '2,3', '2,7', '3,0', '3,3', '3,7', '4,0'];
         $percentages = array_fill(0, count($grades), '');
         $comments = array_fill(0, count($grades), '');
-        $settings = CourseConfig::get(Context::getId());
+        $settings = CourseConfig::get($course_id);
 
         foreach ($settings->VIPS_COURSE_GRADES as $value) {
             $index = array_search($value['grade'], $grades);
@@ -173,6 +176,9 @@ class AdminController extends StudipController
     {
         CSRFProtection::verifyUnsafeRequest();
 
+        $course_id = Context::getId();
+        vips_require_status('tutor', $course_id);
+
         $grades = ['1,0', '1,3', '1,7', '2,0', '2,3', '2,7', '3,0', '3,3', '3,7', '4,0'];
         $percentages = Request::floatArray('percentage');
         $comments = Request::getArray('comment');
@@ -201,7 +207,7 @@ class AdminController extends StudipController
         }
 
         if (!$error) {
-            $settings = CourseConfig::get(Context::getId());
+            $settings = CourseConfig::get($course_id);
             $settings->store('VIPS_COURSE_GRADES', $grade_settings);
 
             PageLayout::postSuccess(_vips('Die Notenwerte wurden eingetragen.'));