Security: Announcement: add verification if user is subscribed to course or subscribed to group to send response -refs BT#21329

main/inc/ajax/announcement.ajax.php

@@ -14,6 +14,7 @@ $courseCode = api_get_course_id();
 $courseId = api_get_course_int_id();
 $groupId = api_get_group_id();
 $sessionId = api_get_session_id();
+$currentUserId = api_get_user_id();
 
 $isTutor = false;
 if (!empty($groupId)) {
@@ -26,9 +27,13 @@ if (!empty($groupId)) {
 
 switch ($action) {
     case 'preview':
+        $userInCourse = false;
+        if (CourseManager::is_user_subscribed_in_course($currentUserId, CourseManager::get_course_code_from_course_id($courseId), $sessionId)) {
+            $userInCourse = true;
+        }
         $allowToEdit = (
             api_is_allowed_to_edit(false, true) ||
-            (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous()) ||
+            (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous() && $userInCourse) ||
             ($sessionId && api_is_coach() && api_get_configuration_value('allow_coach_to_edit_announcements'))
         );
 
@@ -47,9 +52,13 @@ switch ($action) {
 
             // Last chance ... students can send announcements.
             if ($groupProperties['announcements_state'] == GroupManager::TOOL_PRIVATE_BETWEEN_USERS) {
+                // check if user is a group member to give access
+                $groupInfo = GroupManager::get_group_properties($groupId);
+                if (array_key_exists($currentUserId,GroupManager::get_subscribed_users($groupInfo))) {
                     $allowToEdit = true;
                 }
             }
+        }
 
         if ($allowToEdit === false) {
             exit;