Tweak question pool and question pool question comment permissions

matheuszych · Jul 10, 2024 · df958f6 · df958f6
1 parent 8d4d94f
commit df958f6
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 3 deletions.
diff --git a/Modules/TestQuestionPool/classes/class.ilObjQuestionPoolGUI.php b/Modules/TestQuestionPool/classes/class.ilObjQuestionPoolGUI.php
@@ -1827,7 +1827,7 @@ public function infoScreenObject(): void
     public function infoScreenForward(): void
     {
         if (!$this->access->checkAccess('visible', '', $this->ref_id)) {
-            $this->error->raiseError($this->lng->txt('msg_no_perm_read'));
+            $this->error->raiseError($this->lng->txt('msg_no_perm_read'), 403);
         }
         $info = new ilInfoScreenGUI($this);
         $info->enablePrivateNotes();
@@ -1895,7 +1895,7 @@ protected function getTable(): string
             $this->taxonomy->domain(),
             $this->notes_service,
             $this->object->getId(),
-            (int)$this->qplrequest->getRefId()
+            $this->qplrequest->getRefId()
         );
 
         /**

diff --git a/Services/Notes/Comment/class.ilCommentGUI.php b/Services/Notes/Comment/class.ilCommentGUI.php
@@ -118,6 +118,10 @@ public function getHTML(): string
 
     public function getListHTML(bool $a_init_form = true): string
     {
+        if (!$this->checkAccess()) {
+            return '';
+        }
+
         $ilUser = $this->user;
         $lng = $this->lng;
         $ilCtrl = $this->ctrl;

diff --git a/Services/Notes/Note/class.ilNoteGUI.php b/Services/Notes/Note/class.ilNoteGUI.php
@@ -994,7 +994,7 @@ public function addNote(): void
         )->getData("note") ?? "";
 
         //if ($this->form->checkInput())
-        if ($text !== "" && !is_array($this->rep_obj_id)) {
+        if ($text !== "" && !is_array($this->rep_obj_id) && $this->checkAccess()) {
             $context = $this->data->context(
                 $this->rep_obj_id,
                 $this->obj_id,
@@ -1555,4 +1555,21 @@ protected function updateNumber(): void
         exit;
     }
 
+    protected function checkAccess(): bool
+    {
+        $context = $this->data->context(
+            $this->rep_obj_id,
+            $this->obj_id,
+            $this->obj_type,
+            $this->news_id,
+            $this->repository_mode,
+        );
+        $refIds = ilObject::_getAllReferences($context->getObjId());
+        $refId = (int) array_shift($refIds);
+        return match ($this->obj_type) {
+            'qpl' => $this->access->checkAccess('visible', '', $refId),
+            'quest' => $this->access->checkAccess('read', '', $refId),
+            default => true,
+        };
+    }
 }