Resolve #4701 "Administration/Veranstaltungs-Stundenplan kann ohne Admin Rechte aufgerufen werden"

Closes #4701 Merge request studip/studip!3495
author: André Noack <noack@data-quest.de> 2024-10-15 14:33:43 +0000
committer: André Noack <noack@data-quest.de> 2024-10-15 14:33:43 +0000
commit: 802c7a675469ab680f1fa58132c54f15b6cb4a0c (patch)
tree: 68e538127e12130c215d6196bad61952333d43f2 /app/controllers/admin/courseplanning.php
parent: 95f4b928ba7b23128ed73dd2196c5285e9d4c9a0 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/app/controllers/admin/courseplanning.php b/app/controllers/admin/courseplanning.php
index 44b372d..be41133 100644
--- a/app/controllers/admin/courseplanning.php
+++ b/app/controllers/admin/courseplanning.php
@@ -12,10 +12,12 @@ class Admin_CourseplanningController extends AuthenticatedController
     {
         parent::before_filter($action, $args);
 
-        if ($GLOBALS['perm']->have_perm('admin')) {
-            Navigation::activateItem('/browse/my_courses/schedule');
+        if (!$GLOBALS['perm']->have_perm('admin')) {
+            throw new AccessDeniedException();
         }
 
+        Navigation::activateItem('/browse/my_courses/schedule');
+
         $this->insts = Institute::getMyInstitutes($GLOBALS['user']->id);
 
         if (empty($this->insts) && !$GLOBALS['perm']->have_perm('root')) {
author	André Noack <noack@data-quest.de>	2024-10-15 14:33:43 +0000
committer	André Noack <noack@data-quest.de>	2024-10-15 14:33:43 +0000
commit	802c7a675469ab680f1fa58132c54f15b6cb4a0c (patch)
tree	68e538127e12130c215d6196bad61952333d43f2 /app/controllers/admin/courseplanning.php
parent	95f4b928ba7b23128ed73dd2196c5285e9d4c9a0 (diff)