From 48436e6bad6a9c318aca21fbaca0f49635a352fe Mon Sep 17 00:00:00 2001
From: Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de>
Date: Tue, 10 Dec 2024 18:09:48 +0100
Subject: [PATCH] add missing permission check, fixes #273

---
 controllers/admin.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/controllers/admin.php b/controllers/admin.php
index 3d5b8ff..520ce1e 100644
--- a/controllers/admin.php
+++ b/controllers/admin.php
@@ -146,10 +146,13 @@ class AdminController extends StudipController
         Navigation::activateItem('/course/vips/solutions');
         PageLayout::setHelpKeyword('Basis.VipsErgebnisse');
 
+        $course_id = Context::getId();
+        vips_require_status('tutor', $course_id);
+
         $grades = ['1,0', '1,3', '1,7', '2,0', '2,3', '2,7', '3,0', '3,3', '3,7', '4,0'];
         $percentages = array_fill(0, count($grades), '');
         $comments = array_fill(0, count($grades), '');
-        $settings = CourseConfig::get(Context::getId());
+        $settings = CourseConfig::get($course_id);
 
         foreach ($settings->VIPS_COURSE_GRADES as $value) {
             $index = array_search($value['grade'], $grades);
@@ -173,6 +176,9 @@ class AdminController extends StudipController
     {
         CSRFProtection::verifyUnsafeRequest();
 
+        $course_id = Context::getId();
+        vips_require_status('tutor', $course_id);
+
         $grades = ['1,0', '1,3', '1,7', '2,0', '2,3', '2,7', '3,0', '3,3', '3,7', '4,0'];
         $percentages = Request::floatArray('percentage');
         $comments = Request::getArray('comment');
@@ -201,7 +207,7 @@ class AdminController extends StudipController
         }
 
         if (!$error) {
-            $settings = CourseConfig::get(Context::getId());
+            $settings = CourseConfig::get($course_id);
             $settings->store('VIPS_COURSE_GRADES', $grade_settings);
 
             PageLayout::postSuccess(_vips('Die Notenwerte wurden eingetragen.'));
-- 
GitLab