From d025359f72ce0ddd951e6f506edb3d23025d7e8d Mon Sep 17 00:00:00 2001 From: cgfhtw Date: Tue, 13 Aug 2024 08:51:01 +0200 Subject: [PATCH] Berechtigungscheck Verbandstree --- .../controllers/api/frontend/v1/stv/Verband.php | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/application/controllers/api/frontend/v1/stv/Verband.php b/application/controllers/api/frontend/v1/stv/Verband.php index 7b2a7d7ef..8d508399b 100644 --- a/application/controllers/api/frontend/v1/stv/Verband.php +++ b/application/controllers/api/frontend/v1/stv/Verband.php @@ -27,10 +27,9 @@ class Verband extends FHCAPI_Controller { public function __construct() { - // TODO(chris): permissions $permissions = []; $router = load_class('Router'); - $permissions[$router->method] = self::PERM_LOGGED; + $permissions[$router->method] = ['admin:r', 'assistenz:r']; parent::__construct($permissions); // Load Models @@ -57,6 +56,13 @@ class Verband extends FHCAPI_Controller if ($method == '' || $method == 'index') return $this->getBase(); + // NOTE(chris): Test if access is allowed ($method is the Studiengang) + if (!$this->permissionlib->isBerechtigt('assistenz', 's', $method) + && !$this->permissionlib->isBerechtigt('admin', 's', $method) + ) { + return $this->_outputAuthError([$method => ['admin:r', 'assistenz:r']]); + } + $count = count($params); if (!$count) return $this->getStudiengang($method); @@ -104,8 +110,11 @@ class Verband extends FHCAPI_Controller $stgs = $this->permissionlib->getSTG_isEntitledFor('admin') ?: []; $stgs = array_merge($stgs, $this->permissionlib->getSTG_isEntitledFor('assistenz') ?: []); - if ($stgs) - $this->StudiengangModel->db->where_in('studiengang_kz', $stgs); + + if (!$stgs) + $this->terminateWithSuccess([]); + + $this->StudiengangModel->db->where_in('studiengang_kz', $stgs); $result = $this->StudiengangModel->loadWhere(['v.aktiv' => true]);