only display to inst admins requests they have permissions for, fixes #432

Closes #432 Merge request studip/studip!4346
author: Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de> 2025-07-11 13:09:33 +0200
committer: Jan-Hendrik Willms <tleilax+studip@gmail.com> 2025-07-16 08:31:34 +0200
commit: ceb28ac295cb55f241c2b2bb57c4f755d9394d9a (patch)
tree: ff4c3bb83bebff624297a275dec817f89d94531f /app
parent: 93903dc6d30facb7a653a5bbbfebd2a0b58a99a0 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/app/controllers/resources/room_request.php b/app/controllers/resources/room_request.php
index 07f886e..388e4ca 100644
--- a/app/controllers/resources/room_request.php
+++ b/app/controllers/resources/room_request.php
@@ -210,6 +210,10 @@ class Resources_RoomRequestController extends AuthenticatedController
                 );
                 $sql_params['institute_ids'] = $institute_ids;
             }
+        } else if (!ResourceManager::userHasGlobalPermission($this->current_user, 'admin')) {
+            // inst admins only get requests for their rooms or courses of their institutes
+            $sql .= " AND (resource_id != '' OR course_id IN (SELECT seminar_id FROM seminare WHERE institut_id IN (:institute_ids)))";
+            $sql_params['institute_ids'] = array_column(Institute::getMyInstitutes(), 'Institut_id');
         }
 
         if (
@@ -1145,6 +1149,7 @@ class Resources_RoomRequestController extends AuthenticatedController
                 )
             );
         } else {
+            $user_has_permission = $GLOBALS['perm']->have_studip_perm('tutor', $this->request->course_id);
             PageLayout::setTitle(
                 _('Anfrage auflösen')
             );
author	Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de>	2025-07-11 13:09:33 +0200
committer	Jan-Hendrik Willms <tleilax+studip@gmail.com>	2025-07-16 08:31:34 +0200
commit	ceb28ac295cb55f241c2b2bb57c4f755d9394d9a (patch)
tree	ff4c3bb83bebff624297a275dec817f89d94531f /app
parent	93903dc6d30facb7a653a5bbbfebd2a0b58a99a0 (diff)