From a420cc87ad2b8b2d286a4481938b20bb250ef3fc Mon Sep 17 00:00:00 2001 From: Angel Fernando Quiroz Campos Date: Fri, 14 Jun 2024 16:21:38 -0500 Subject: [PATCH] Internal: Fix permission to view session by voter - refs BT#21745 --- .../Authorization/Voter/SessionVoter.php | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/src/CoreBundle/Security/Authorization/Voter/SessionVoter.php b/src/CoreBundle/Security/Authorization/Voter/SessionVoter.php index e95768175d..04691e07c9 100644 --- a/src/CoreBundle/Security/Authorization/Voter/SessionVoter.php +++ b/src/CoreBundle/Security/Authorization/Voter/SessionVoter.php @@ -84,22 +84,26 @@ class SessionVoter extends Voter $userIsStudent = $session->hasUserInCourse($user, $currentCourse, Session::STUDENT); } - if ($userIsGeneralCoach) { - $user->addRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_SESSION_TEACHER); - } elseif ($userIsCourseCoach) { // Course-Coach access. + $visibilityForUser = $session->setAccessVisibilityByUser($user); + + if ($userIsStudent && Session::LIST_ONLY == $visibilityForUser) { + return false; + } + + if ($userIsGeneralCoach || $userIsCourseCoach) { $user->addRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_SESSION_TEACHER); } elseif ($userIsStudent) { // Student access. $user->addRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_SESSION_STUDENT); } - if (\in_array( - $session->setAccessVisibilityByUser($user), - [Session::INVISIBLE, Session::LIST_ONLY] - )) { - return false; + if ( + ($userIsGeneralCoach || $userIsCourseCoach || $userIsStudent) + && $visibilityForUser != Session::INVISIBLE + ) { + return true; } - return true; + return false; case self::EDIT: case self::DELETE: