From 0816f97255d84eba431bef83a9681b62d6c32974 Mon Sep 17 00:00:00 2001
From: Stephan Kergomard <webmaster@kergomard.ch>
Date: Mon, 27 Jan 2025 17:30:49 +0200
Subject: [PATCH] Object: Fix Access Check on Availability Period

See: https://mantis.ilias.de/view.php?id=43859
---
 .../MultiObjectPropertiesManipulator.php      | 15 ++++++----
 Services/Object/classes/class.ilObjectGUI.php | 30 ++++++++++++++-----
 2 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/Services/Object/classes/Properties/MultiObjectPropertiesManipulator.php b/Services/Object/classes/Properties/MultiObjectPropertiesManipulator.php
index 1abe9ec89c79..e34f37a262cc 100644
--- a/Services/Object/classes/Properties/MultiObjectPropertiesManipulator.php
+++ b/Services/Object/classes/Properties/MultiObjectPropertiesManipulator.php
@@ -24,7 +24,6 @@
 use ILIAS\Object\Properties\ObjectReferenceProperties\ObjectAvailabilityPeriodProperty;
 use ILIAS\UI\Component\Button\Standard as StandardButton;
 use ILIAS\UI\Component\Modal\RoundTrip as RoundTripModal;
-use ILIAS\UI\Implementation\Component\Listing\Unordered as UnorderedListing;
 use ILIAS\UI\Factory as UIFactory;
 use ILIAS\Refinery\Factory as Refinery;
 use ILIAS\Data\Factory as DataFactory;
@@ -81,8 +80,9 @@ public function getEditAvailabilityPeriodPropertiesModal(
 
     public function saveEditAvailabilityPeriodPropertiesModal(
         \ilObjectGUI $parent_gui,
+        \Closure $check_access,
         ServerRequestInterface $request
-    ): ?RoundTripModal {
+    ): RoundTripModal|bool {
         $post_url = $this->ctrl->getFormAction($parent_gui, 'saveAvailabilityPeriod');
         $availability_period_modal = $this->buildModal($post_url)
             ->withRequest($request);
@@ -90,10 +90,15 @@ public function saveEditAvailabilityPeriodPropertiesModal(
         if ($data === null) {
             return $availability_period_modal;
         }
-        $ref_ids = explode(',', $data['affected_items']);
+        $ref_ids = $this->refinery->kindlyTo()->listOf($this->refinery->kindlyTo()->int())->transform($data['affected_items']);
+
+        if (!$check_access($ref_ids)) {
+            return false;
+        }
+
         $availability_period_property = $data['enable_availability_period'];
         $this->saveAvailabilityPeriodPropertyForObjectRefIds($ref_ids, $availability_period_property);
-        return null;
+        return true;
     }
 
     private function buildModal(
@@ -156,7 +161,7 @@ private function saveAvailabilityPeriodPropertyForObjectRefIds(
     ): void {
         foreach ($object_reference_ids as $object_reference_id) {
             $this->object_reference_properties_repo->storePropertyAvailabilityPeriod(
-                $property->withObjectReferenceId((int) $object_reference_id)
+                $property->withObjectReferenceId($object_reference_id)
             );
         }
     }
diff --git a/Services/Object/classes/class.ilObjectGUI.php b/Services/Object/classes/class.ilObjectGUI.php
index 3dbcdb4702c2..1846a6cb0bbd 100755
--- a/Services/Object/classes/class.ilObjectGUI.php
+++ b/Services/Object/classes/class.ilObjectGUI.php
@@ -880,11 +880,13 @@ protected function addAvailabilityPeriodButtonToToolbar(ilToolbarGUI $toolbar):
 
     public function editAvailabilityPeriodObject(): void
     {
-        if (!$this->checkPermissionBool('write')) {
+        $item_ref_ids = $this->retriever->getSelectedIdsFromObjectList();
+        if (!$this->checkPermissionBool('write')
+            && !$this->checkWritePermissionOnRefIdArray($item_ref_ids)) {
             $this->tpl->setOnScreenMessage('failure', $this->lng->txt('msg_no_perm_write'));
             return;
         }
-        $item_ref_ids = $this->retriever->getSelectedIdsFromObjectList();
+
         $availability_period_modal = $this->getMultiObjectPropertiesManipulator()->getEditAvailabilityPeriodPropertiesModal(
             $item_ref_ids,
             $this
@@ -904,13 +906,15 @@ public function editAvailabilityPeriodObject(): void
 
     public function saveAvailabilityPeriodObject(): void
     {
-        if (!$this->checkPermissionBool('write')) {
-            $this->tpl->setOnScreenMessage('failure', $this->lng->txt('msg_no_perm_write'));
-            return;
-        }
-        $availability_period_modal = $this->getMultiObjectPropertiesManipulator()->saveEditAvailabilityPeriodPropertiesModal($this, $this->request);
-        if ($availability_period_modal === null) {
+        $availability_period_modal = $this->getMultiObjectPropertiesManipulator()->saveEditAvailabilityPeriodPropertiesModal(
+            $this,
+            fn($ref_ids): bool => $this->checkPermissionBool('write') || $this->checkWritePermissionOnRefIdArray($ref_ids),
+            $this->request
+        );
+        if ($availability_period_modal === true) {
             $this->tpl->setOnScreenMessage('success', $this->lng->txt('availability_period_changed'));
+        } elseif ($availability_period_modal === false) {
+            $this->tpl->setOnScreenMessage('failure', $this->lng->txt('msg_no_perm_write'));
         } else {
             $this->tpl->setVariable(
                 'IL_OBJECT_MODALS',
@@ -1806,4 +1810,14 @@ public function removeFromDeskObject(): void
         $this->tpl->setOnScreenMessage("success", $this->lng->txt("rep_removed_from_favourites"), true);
         $this->ctrl->redirectToURL(ilLink::_getLink($this->requested_ref_id));
     }
+
+    private function checkWritePermissionOnRefIdArray(array $ref_ids): bool
+    {
+        foreach ($ref_ids as $ref_id) {
+            if (!$this->access->checkAccess('write', '', $ref_id)) {
+                return false;
+            }
+        }
+        return true;
+    }
 }