Skip to content

Commit

Permalink
check edit permissions before allowing to add or remove playlists fro…
Browse files Browse the repository at this point in the history 
…m a course (#1089)
  • Loading branch information
@tgloeggl
tgloeggl authored Nov 28, 2024
1 parent c05d4d0 commit 996cdbc
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 5 deletions.
8 changes: 6 additions & 2 deletions lib/Routes/Course/CourseAddPlaylist.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
use Opencast\Models\Playlists;
use Opencast\Models\PlaylistSeminars;
use Opencast\Models\Helpers;
use Opencast\Providers\Perm;

class CourseAddPlaylist extends OpencastController
{
Expand All @@ -23,6 +24,10 @@ public function __invoke(Request $request, Response $response, $args)
$playlist = Playlists::findOneByToken($args['token']);
$course_id = $args['course_id'];

if (!Perm::editAllowed($course_id, $user->id)) {
throw new \AccessDeniedException();
}

$json = $this->getRequestData($request);

$is_default = 0;
Expand All @@ -34,8 +39,7 @@ public function __invoke(Request $request, Response $response, $args)
// check what permissions the current user has on the playlist and video
$perm_playlist = reset($playlist->perms->findBy('user_id', $user->id)->toArray());

// allow any perm for adding playlists to course user has access to
if (empty($perm_playlist) && !$perm->have_studip_perm('tutor', $course_id))
if (empty($perm_playlist))
{
throw new \AccessDeniedException();
}
Expand Down
10 changes: 7 additions & 3 deletions lib/Routes/Course/CourseRemovePlaylist.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,23 +10,27 @@
use Opencast\OpencastController;
use Opencast\Models\Playlists;
use Opencast\Models\PlaylistSeminars;
use Opencast\Providers\Perm;

class CourseRemovePlaylist extends OpencastController
{
use OpencastTrait;

public function __invoke(Request $request, Response $response, $args)
{
global $user;

global $user, $perm;

$playlist = Playlists::findOneByToken($args['token']);
$course_id = $args['course_id'];

if (!Perm::editAllowed($course_id, $user->id)) {
throw new \AccessDeniedException();
}

// check what permissions the current user has on the playlist and video
$perm_playlist = reset($playlist->perms->findBy('user_id', $user->id)->toArray());

if (empty($perm_playlist) && !$perm->have_studip_perm('tutor', $course_id)) // allow any perm for adding playlists to course user has access to
if (empty($perm_playlist))
{
throw new \AccessDeniedException();
}
Expand Down

0 comments on commit 996cdbc

Please sign in to comment.