added 'other lv plan' permission check in api controller

This commit is contained in:
adisposkofh
2026-04-14 16:28:01 +02:00
parent d003bfa7f1
commit cdc279b5da
2 changed files with 6 additions and 1 deletions
+1 -1
View File
@@ -14,7 +14,7 @@ class OtherLvPlan extends Auth_Controller
public function __construct()
{
parent::__construct([
'index' => ['basis/cis:r']
'index' => ['basis/other_lv_plan:r']
]);
// Load Config
@@ -98,6 +98,11 @@ class LvPlan extends FHCAPI_Controller
$end_date = $this->input->post('end_date', true);
$uid = $this->input->post('uid', true);
// disallow accessing other user's lv plan if missing permission
if ($uid && $uid !== getAuthUID() && !$this->permissionlib->isBerechtigt('basis/other_lv_plan')) {
$this->terminateWithError("Missing permission to view other users' timetables!");
}
// fetching lvplan events
$result = $this->stundenplanlib->getEventsUser($start_date, $end_date, $uid);
$lvplanEvents = $this->getDataOrTerminateWithError($result);