Resolve "Autor darf keine neue Diskussion starten"

Closes #5724

Merge request studip/studip!4355

2 files changed, 13 insertions, 20 deletions

diff --git a/app/controllers/course/forum/ForumBaseController.php b/app/controllers/course/forum/ForumBaseController.php
index 196bbcf..aaa4dd4 100644
--- a/app/controllers/course/forum/ForumBaseController.php
+++ b/app/controllers/course/forum/ForumBaseController.php
@@ -31,13 +31,11 @@ abstract class ForumBaseController extends StudipController
     {
         $actions = new ActionsWidget();
 
-        if ($this->is_moderator) {
-            $actions->addLink(
-                _('Neue Diskussion starten'),
-                $this->url_for('course/forum/discussions/edit'),
-                Icon::create('add', Icon::ROLE_CLICKABLE, ['title' => _('Neue Diskussion starten')])
-            )->asDialog('width=900;height=750');
-        }
+        $actions->addLink(
+            _('Neue Diskussion starten'),
+            $this->url_for('course/forum/discussions/edit'),
+            Icon::create('add', Icon::ROLE_CLICKABLE, ['title' => _('Neue Diskussion starten')])
+        )->asDialog('width=900;height=750');
 
         if ($this->is_admin) {
             $actions->addLink(
diff --git a/app/controllers/course/forum/discussions.php b/app/controllers/course/forum/discussions.php
index c946401..7e7aca7 100644
--- a/app/controllers/course/forum/discussions.php
+++ b/app/controllers/course/forum/discussions.php
@@ -112,10 +112,6 @@ class Course_Forum_DiscussionsController extends Forum\ForumBaseController
 
     public function edit_action(ForumDiscussion $discussion = null)
     {
-        if (!$this->is_moderator) {
-            throw new AccessDeniedException();
-        }
-
         if ($discussion->isNew()) {
             PageLayout::setTitle(_('Neue Diskussion starten'));
         } else {
@@ -155,21 +151,20 @@ class Course_Forum_DiscussionsController extends Forum\ForumBaseController
 
     public function save_action($discussion_id = null)
     {
-        if (!$this->is_moderator) {
-            throw new AccessDeniedException();
-        }
-
         CSRFProtection::verifyUnsafeRequest();
 
         if ($discussion_id) {
             $discussion = ForumDiscussion::find($discussion_id);
         } else {
             $discussion = new ForumDiscussion();
+            $discussion->user_id = User::findCurrent()->user_id;
         }
 
         $discussion->title = Request::get('title');
         $discussion->closed_at = Request::bool('closed_at', false) ? time() : null;
-        $discussion->sticky = Request::bool('sticky', false);
+        if ($this->is_moderator) {
+            $discussion->sticky = Request::bool('sticky', false);
+        }
 
         if (Request::get('type_id')) {
             $discussion->type_id = Request::get('type_id');
@@ -227,16 +222,16 @@ class Course_Forum_DiscussionsController extends Forum\ForumBaseController
 
     public function delete_action($discussion_id)
     {
-        if (!$this->is_moderator) {
-            throw new AccessDeniedException();
-        }
-
         $discussion = ForumDiscussion::find($discussion_id);
 
         if (!$discussion) {
             throw new AccessDeniedException();
         }
 
+        if (!$this->is_moderator && $discussion->user_id !== User::findCurrent()->user_id) {
+            throw new AccessDeniedException();
+        }
+
         TagRelation::deleteBySQL("range_id = ? AND range_type = 'forum'", [$discussion->discussion_id]);
         $topic_id = $discussion->topic_id;