From 20423dddb0968906ba64d8b9584e93f648702cfe Mon Sep 17 00:00:00 2001
From: Jonas Kuche <Zitrone44@users.noreply.github.com>
Date: Wed, 30 Oct 2024 13:37:39 +0100
Subject: [PATCH] fix(core): update permission checks for course group
 information (#1698)

---
 .../de/thm/ii/fbs/controller/GroupController.scala     |  6 ++----
 .../fbs/controller/GroupRegistrationController.scala   | 10 ++--------
 2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/modules/fbs-core/api/src/main/scala/de/thm/ii/fbs/controller/GroupController.scala b/modules/fbs-core/api/src/main/scala/de/thm/ii/fbs/controller/GroupController.scala
index 46b734ca1..9edbd0c23 100644
--- a/modules/fbs-core/api/src/main/scala/de/thm/ii/fbs/controller/GroupController.scala
+++ b/modules/fbs-core/api/src/main/scala/de/thm/ii/fbs/controller/GroupController.scala
@@ -43,10 +43,8 @@ class GroupController{
     val user = authService.authorize(req, res)
     val someCourseRole = courseRegistrationService.getParticipants(cid).find(_.user.id == user.id).map(_.role)
     (user.globalRole, someCourseRole) match {
-      case (GlobalRole.ADMIN | GlobalRole.MODERATOR, _) | (_, Some(CourseRole.DOCENT)) =>
-        val groupList = groupService.getAll(cid, ignoreHidden = false)
-        groupList
-      case _ => throw new ForbiddenException()
+      case (GlobalRole.ADMIN | GlobalRole.MODERATOR, _) | (_, Some(CourseRole.DOCENT)) => groupService.getAll(cid, ignoreHidden = false)
+      case _ => groupService.getAll(cid)
     }
   }
 
diff --git a/modules/fbs-core/api/src/main/scala/de/thm/ii/fbs/controller/GroupRegistrationController.scala b/modules/fbs-core/api/src/main/scala/de/thm/ii/fbs/controller/GroupRegistrationController.scala
index b960e4bd7..ae982d7d0 100644
--- a/modules/fbs-core/api/src/main/scala/de/thm/ii/fbs/controller/GroupRegistrationController.scala
+++ b/modules/fbs-core/api/src/main/scala/de/thm/ii/fbs/controller/GroupRegistrationController.scala
@@ -133,14 +133,8 @@ class GroupRegistrationController {
   @GetMapping(value = Array("/courses/{cid}/groups/{gid}/participants"))
   @ResponseBody
   def getMembers(@PathVariable("cid") cid: Integer, @PathVariable("gid") gid: Int, req: HttpServletRequest, res: HttpServletResponse): List[Participant] = {
-    val user = authService.authorize(req, res)
-    val hasGlobalPrivileges = user.hasRole(GlobalRole.ADMIN, GlobalRole.MODERATOR)
-    val hasCoursePrivileges = courseRegistrationService.getCoursePrivileges(user.id).getOrElse(cid, CourseRole.STUDENT)  == CourseRole.DOCENT
-    if (hasGlobalPrivileges || hasCoursePrivileges) {
-      groupRegistrationService.getMembers(cid, gid)
-    } else {
-      throw new ForbiddenException()
-    }
+    authService.authorize(req, res)
+    groupRegistrationService.getMembers(cid, gid)
   }
 
   /**