aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorElmar Ludwig <elmar.ludwig@uni-osnabrueck.de>2026-03-17 14:49:04 +0100
committerElmar Ludwig <elmar.ludwig@uni-osnabrueck.de>2026-03-17 14:49:04 +0100
commit02e95466efcf38c2e6bedb32bf5f2c4c731dd5f3 (patch)
treef6cfb638c788625840acdda12960bcb9ea50e3ae
parent96d555e3f270b16c55bfbfe280482e702fe8910f (diff)
allow access to institute list of visible users, fixes #6371
Closes #6371 Merge request studip/studip!4834
Diffstat
-rw-r--r--lib/classes/JsonApi/Routes/InstituteMemberships/ByUserIndex.php7
-rw-r--r--lib/classes/JsonApi/Routes/Institutes/Authority.php9
2 files changed, 5 insertions, 11 deletions
diff --git a/lib/classes/JsonApi/Routes/InstituteMemberships/ByUserIndex.php b/lib/classes/JsonApi/Routes/InstituteMemberships/ByUserIndex.php
index 2fd9833..c7612e1 100644
--- a/lib/classes/JsonApi/Routes/InstituteMemberships/ByUserIndex.php
+++ b/lib/classes/JsonApi/Routes/InstituteMemberships/ByUserIndex.php
@@ -5,9 +5,9 @@ namespace JsonApi\Routes\InstituteMemberships;
use JsonApi\Errors\AuthorizationFailedException;
use JsonApi\Errors\RecordNotFoundException;
use JsonApi\JsonApiController;
+use JsonApi\Routes\Users\Authority;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
-use JsonApi\Routes\Institutes\Authority;
class ByUserIndex extends JsonApiController
{
@@ -24,11 +24,14 @@ class ByUserIndex extends JsonApiController
throw new RecordNotFoundException();
}
- if (!Authority::canIndexInstitutesOfUser($this->getUser($request), $user)) {
+ if (!Authority::canShowUser($this->getUser($request), $user)) {
throw new AuthorizationFailedException();
}
$institutes = $user->institute_memberships;
+ if (!$GLOBALS['perm']->have_profile_perm('user', $user->id)) {
+ $institutes = $institutes->filter(fn($membership) => $membership->inst_perms !== 'user');
+ }
$total = count($institutes);
list($offset, $limit) = $this->getOffsetAndLimit();
diff --git a/lib/classes/JsonApi/Routes/Institutes/Authority.php b/lib/classes/JsonApi/Routes/Institutes/Authority.php
index c6ee43b..91dc573 100644
--- a/lib/classes/JsonApi/Routes/Institutes/Authority.php
+++ b/lib/classes/JsonApi/Routes/Institutes/Authority.php
@@ -14,13 +14,4 @@ class Authority
{
return $GLOBALS['perm']->have_studip_perm('admin', $institute->id, $user->id);
}
-
- /**
- * @SuppressWarnings(PHPMD.Superglobals)
- */
- public static function canIndexInstitutesOfUser(User $observer, User $user)
- {
- return $GLOBALS['perm']->have_perm('admin', $observer->id)
- || $observer->id === $user->id;
- }
}
generated by cgit v1.0 at 2026-05-27 04:33:24 +0000