From d76b488ff78039c14e8df3e125ef41d8dd81075d Mon Sep 17 00:00:00 2001
From: Tom Udding <tomudding@users.noreply.github.com>
Date: Mon, 11 Sep 2023 16:58:07 +0200
Subject: [PATCH] Do not allow viewing unapproved activities by the world

If an activity is not `APPROVED` it is only accessible to the board
and the organiser.
---
 module/Activity/src/Controller/ActivityController.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/module/Activity/src/Controller/ActivityController.php b/module/Activity/src/Controller/ActivityController.php
index 1eabb3ba50..89465972ef 100644
--- a/module/Activity/src/Controller/ActivityController.php
+++ b/module/Activity/src/Controller/ActivityController.php
@@ -72,6 +72,12 @@ public function viewAction(): mixed
             return $this->notFoundAction();
         }
 
+        if (ActivityModel::STATUS_APPROVED !== $activity->getStatus()) {
+            if (!$this->aclService->isAllowed('update', $activity)) {
+                return $this->notFoundAction();
+            }
+        }
+
         // If the Activity has a sign-up list always display it by redirecting the request.
         if (0 !== $activity->getSignupLists()->count()) {
             return $this->forward()->dispatch(