From e40e36def6aed034ec1640f8391bed989c0f9ecd Mon Sep 17 00:00:00 2001 From: NicoDucou Date: Tue, 9 Jan 2024 09:22:19 +0100 Subject: [PATCH] Security: Announcement: add verification if user is subscribed to course or subscribed to group to send response -refs BT#21329 --- main/inc/ajax/announcement.ajax.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/main/inc/ajax/announcement.ajax.php b/main/inc/ajax/announcement.ajax.php index 0d32a8fadf..208f18e32d 100644 --- a/main/inc/ajax/announcement.ajax.php +++ b/main/inc/ajax/announcement.ajax.php @@ -14,6 +14,7 @@ $courseCode = api_get_course_id(); $courseId = api_get_course_int_id(); $groupId = api_get_group_id(); $sessionId = api_get_session_id(); +$currentUserId = api_get_user_id(); $isTutor = false; if (!empty($groupId)) { @@ -26,9 +27,13 @@ if (!empty($groupId)) { switch ($action) { case 'preview': + $userInCourse = false; + if (CourseManager::is_user_subscribed_in_course($currentUserId, CourseManager::get_course_code_from_course_id($courseId), $sessionId)) { + $userInCourse = true; + } $allowToEdit = ( api_is_allowed_to_edit(false, true) || - (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous()) || + (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous() && $userInCourse) || ($sessionId && api_is_coach() && api_get_configuration_value('allow_coach_to_edit_announcements')) ); @@ -47,7 +52,11 @@ switch ($action) { // Last chance ... students can send announcements. if ($groupProperties['announcements_state'] == GroupManager::TOOL_PRIVATE_BETWEEN_USERS) { - $allowToEdit = true; + // check if user is a group member to give access + $groupInfo = GroupManager::get_group_properties($groupId); + if (array_key_exists($currentUserId,GroupManager::get_subscribed_users($groupInfo))) { + $allowToEdit = true; + } } }