Internal: Fix permission to view session by voter - refs BT#21745

1 year ago · a420cc87ad
parent 2ec2aa25cd
commit a420cc87ad
1 changed files with 13 additions and 9 deletions
--- a/src/CoreBundle/Security/Authorization/Voter/SessionVoter.php
+++ b/src/CoreBundle/Security/Authorization/Voter/SessionVoter.php
@ -84,22 +84,26 @@ class SessionVoter extends Voter
                    $userIsStudent = $session->hasUserInCourse($user, $currentCourse, Session::STUDENT);
                }

-                if ($userIsGeneralCoach) {
-                    $user->addRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_SESSION_TEACHER);
-                } elseif ($userIsCourseCoach) { // Course-Coach access.
+                $visibilityForUser = $session->setAccessVisibilityByUser($user);
+
+                if ($userIsStudent && Session::LIST_ONLY == $visibilityForUser) {
+                    return false;
+                }
+
+                if ($userIsGeneralCoach || $userIsCourseCoach) {
                    $user->addRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_SESSION_TEACHER);
                } elseif ($userIsStudent) { // Student access.
                    $user->addRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_SESSION_STUDENT);
                }

-                if (\in_array(
-                    $session->setAccessVisibilityByUser($user),
-                    [Session::INVISIBLE, Session::LIST_ONLY]
-                )) {
-                    return false;
+                if (
+                    ($userIsGeneralCoach || $userIsCourseCoach || $userIsStudent)
+                    && $visibilityForUser != Session::INVISIBLE
+                ) {
+                    return true;
                }

-                return true;
+                return false;

            case self::EDIT:
            case self::DELETE: