diff options
| author | Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de> | 2026-03-17 14:49:04 +0100 |
|---|---|---|
| committer | Jan-Hendrik Willms <tleilax+studip@gmail.com> | 2026-03-17 14:54:51 +0100 |
| commit | 2bd0871ccf86b41085f4b21d972a2d13e508c55d (patch) | |
| tree | 5d8ee41dca40686b6a4b7052ec9f0a6d34f36de6 | |
| parent | 0cc1e950c3a175c205625820fcba144c780d661b (diff) | |
allow access to institute list of visible users, fixes #6371
Closes #6371
Merge request studip/studip!4834
| -rw-r--r-- | lib/classes/JsonApi/Routes/InstituteMemberships/ByUserIndex.php | 7 | ||||
| -rw-r--r-- | lib/classes/JsonApi/Routes/Institutes/Authority.php | 9 |
2 files changed, 5 insertions, 11 deletions
diff --git a/lib/classes/JsonApi/Routes/InstituteMemberships/ByUserIndex.php b/lib/classes/JsonApi/Routes/InstituteMemberships/ByUserIndex.php index 2fd9833..c7612e1 100644 --- a/lib/classes/JsonApi/Routes/InstituteMemberships/ByUserIndex.php +++ b/lib/classes/JsonApi/Routes/InstituteMemberships/ByUserIndex.php @@ -5,9 +5,9 @@ namespace JsonApi\Routes\InstituteMemberships; use JsonApi\Errors\AuthorizationFailedException; use JsonApi\Errors\RecordNotFoundException; use JsonApi\JsonApiController; +use JsonApi\Routes\Users\Authority; use Psr\Http\Message\ResponseInterface as Response; use Psr\Http\Message\ServerRequestInterface as Request; -use JsonApi\Routes\Institutes\Authority; class ByUserIndex extends JsonApiController { @@ -24,11 +24,14 @@ class ByUserIndex extends JsonApiController throw new RecordNotFoundException(); } - if (!Authority::canIndexInstitutesOfUser($this->getUser($request), $user)) { + if (!Authority::canShowUser($this->getUser($request), $user)) { throw new AuthorizationFailedException(); } $institutes = $user->institute_memberships; + if (!$GLOBALS['perm']->have_profile_perm('user', $user->id)) { + $institutes = $institutes->filter(fn($membership) => $membership->inst_perms !== 'user'); + } $total = count($institutes); list($offset, $limit) = $this->getOffsetAndLimit(); diff --git a/lib/classes/JsonApi/Routes/Institutes/Authority.php b/lib/classes/JsonApi/Routes/Institutes/Authority.php index c6ee43b..91dc573 100644 --- a/lib/classes/JsonApi/Routes/Institutes/Authority.php +++ b/lib/classes/JsonApi/Routes/Institutes/Authority.php @@ -14,13 +14,4 @@ class Authority { return $GLOBALS['perm']->have_studip_perm('admin', $institute->id, $user->id); } - - /** - * @SuppressWarnings(PHPMD.Superglobals) - */ - public static function canIndexInstitutesOfUser(User $observer, User $user) - { - return $GLOBALS['perm']->have_perm('admin', $observer->id) - || $observer->id === $user->id; - } } |