From dda96cbbdf9237d90297ed1559f0a4d27713b2ec Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+studip@gmail.com>
Date: Fri, 20 Mar 2026 13:18:46 +0100
Subject: set allow_nobody on resources' ajax controller for get_booking_plan
 action, fixes #6269

Closes #6269

Merge request studip/studip!4739
---
 app/controllers/resources/ajax.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/app/controllers/resources/ajax.php b/app/controllers/resources/ajax.php
index 8b771b3..a594b11 100644
--- a/app/controllers/resources/ajax.php
+++ b/app/controllers/resources/ajax.php
@@ -14,6 +14,17 @@
 
 class Resources_AjaxController extends AuthenticatedController
 {
+    protected $allow_nobody = true;
+
+    public function before_filter(&$action, &$args)
+    {
+        if ($action !== 'get_booking_plan') {
+            throw new LoginException();
+        }
+
+        parent::before_filter($action, $args);
+    }
+
     public function toggle_marked_action($request_id)
     {
         $request = ResourceRequest::find($request_id);
-- 
cgit v1.0