only display to inst admins requests they have permissions for, fixes #432

Closes #432 Merge request studip/studip!4346
author: Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de> 2025-07-11 13:09:33 +0200
committer: Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de> 2025-07-11 13:09:33 +0200
commit: 6a88de23cb06bcbc121a8a3ee85b26446595be11 (patch)
tree: 6670a5663f20aaf92f8d2671012bd088645a8717 /app
parent: b6ae18e2f73a6f25e9ba6305e0ac3e00c6c16de7 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/app/controllers/resources/room_request.php b/app/controllers/resources/room_request.php
index 5c7811b..07af488 100644
--- a/app/controllers/resources/room_request.php
+++ b/app/controllers/resources/room_request.php
@@ -210,6 +210,10 @@ class Resources_RoomRequestController extends AuthenticatedController
                 );
                 $sql_params['institute_ids'] = $institute_ids;
             }
+        } else if (!ResourceManager::userHasGlobalPermission($this->current_user, 'admin')) {
+            // inst admins only get requests for their rooms or courses of their institutes
+            $sql .= " AND (resource_id != '' OR course_id IN (SELECT seminar_id FROM seminare WHERE institut_id IN (:institute_ids)))";
+            $sql_params['institute_ids'] = array_column(Institute::getMyInstitutes(), 'Institut_id');
         }
 
         if (
@@ -1149,6 +1153,7 @@ class Resources_RoomRequestController extends AuthenticatedController
                 )
             );
         } else {
+            $user_has_permission = $GLOBALS['perm']->have_studip_perm('tutor', $this->request->course_id);
             PageLayout::setTitle(
                 _('Anfrage auflösen')
             );
author	Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de>	2025-07-11 13:09:33 +0200
committer	Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de>	2025-07-11 13:09:33 +0200
commit	6a88de23cb06bcbc121a8a3ee85b26446595be11 (patch)
tree	6670a5663f20aaf92f8d2671012bd088645a8717 /app
parent	b6ae18e2f73a6f25e9ba6305e0ac3e00c6c16de7 (diff)