42613: BookingPool/Schedule: Editing a schedule is not protected with…

… RBAC permissions / schedule is bound to other booking pool

Signed-off-by: Releasemanager <[email protected]>

Modules/BookingManager/Objects/class.ilBookingObjectGUI.php

@@ -88,6 +88,10 @@ public function __construct(
         $this->ref_id = $this->book_request->getRefId();
         $this->ctrl->saveParameter($this, "object_id");
 
+        if ($this->object_id > 0 && ilBookingObject::lookupPoolId($this->object_id) !== $this->pool_gui->getObject()->getId()) {
+            throw new ilPermissionException("Booking object pool id does not match pool id.");
+        }
+
         $this->rsv_ids = array_map('intval', $this->book_request->getReservationIdsFromString());
     }
 

Modules/BookingManager/Schedule/class.ilBookingSchedule.php

@@ -311,6 +311,21 @@ protected function saveDefinition(): bool
         return true;
     }
 
+    public static function lookupPoolId(int $schedule_id): int
+    {
+        global $DIC;
+
+        $ilDB = $DIC->database();
+
+        $set = $ilDB->query("SELECT pool_id " .
+            " FROM booking_schedule" .
+            " WHERE booking_schedule_id = " . $ilDB->quote($schedule_id, 'integer'));
+        if ($rec = $ilDB->fetchAssoc($set)) {
+            return (int) $rec['pool_id'];
+        }
+        return 0;
+    }
+
     /**
      * Check if given pool has any defined schedules
      */

Modules/BookingManager/Schedule/class.ilBookingScheduleGUI.php

@@ -53,6 +53,11 @@ public function __construct(
                                   ->gui()
                                   ->standardRequest();
         $this->schedule_id = $this->book_request->getScheduleId();
+
+        if ($this->schedule_id > 0 && ilBookingSchedule::lookupPoolId($this->schedule_id) !== ilObject::_lookupObjId($this->ref_id)) {
+            throw new ilPermissionException("Schedule pool id does not match pool id.");
+        }
+
     }
 
     public function executeCommand(): void