From 455f85df756be56494eb3d5c39cadbcd54671faf Mon Sep 17 00:00:00 2001 From: Sagun Karki Date: Wed, 13 May 2026 11:25:10 +0200 Subject: [PATCH 1/3] fix(soap): enforce ownership check in saveQuestion via isAllowedCall write branch --- .../soap/classes/class.ilSoapTestAdministration.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/components/ILIAS/soap/classes/class.ilSoapTestAdministration.php b/components/ILIAS/soap/classes/class.ilSoapTestAdministration.php index 4152d2f16cdd..0111b76bf4c1 100755 --- a/components/ILIAS/soap/classes/class.ilSoapTestAdministration.php +++ b/components/ILIAS/soap/classes/class.ilSoapTestAdministration.php @@ -76,6 +76,16 @@ public function isAllowedCall(string $sid, int $active_id, bool $saveaction = tr } if ($saveaction) { + $owner_result = $ilDB->queryF( + "SELECT user_fi FROM tst_active WHERE active_id = %s", + array('integer'), + array($active_id) + ); + $owner_row = $ilDB->fetchAssoc($owner_result); + if (!is_array($owner_row) || (int) $owner_row['user_fi'] !== $ilUser->getId()) { + return false; + } + $result = $ilDB->queryF( "SELECT * FROM tst_times WHERE active_fi = %s ORDER BY started DESC", array('integer'), From 3278cbc8815aea5865e5c5654193e63376fc7994 Mon Sep 17 00:00:00 2001 From: Sagun Karki Date: Thu, 21 May 2026 13:12:13 +0200 Subject: [PATCH 2/3] fix: add edit_userassignment check for getUsersForRole global roles (#0047258) --- .../soap/classes/class.ilSoapUserAdministration.php | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/components/ILIAS/soap/classes/class.ilSoapUserAdministration.php b/components/ILIAS/soap/classes/class.ilSoapUserAdministration.php index b4d96a5d2a82..b8e3e3dfbe49 100755 --- a/components/ILIAS/soap/classes/class.ilSoapUserAdministration.php +++ b/components/ILIAS/soap/classes/class.ilSoapUserAdministration.php @@ -518,15 +518,21 @@ public function getUserForRole(string $sid, int $role_id, bool $attachRoles, int $tree = $DIC->repositoryTree(); $ilUser = $DIC->user(); $access = $DIC->access(); + $rbacsystem = $DIC->rbac()->system(); $global_roles = $rbacreview->getGlobalRoles(); if (in_array($role_id, $global_roles, true)) { - // global roles - if ($role_id === SYSTEM_ROLE_ID && - !in_array(SYSTEM_ROLE_ID, $rbacreview->assignedRoles($ilUser->getId()), true)) { + $actor_has_system_role = in_array(SYSTEM_ROLE_ID, $rbacreview->assignedRoles($ilUser->getId()), true); + + if ($role_id === SYSTEM_ROLE_ID && !$actor_has_system_role) { return $this->raiseError("Role access not permitted. ($role_id)", "Server"); } + + if (!$actor_has_system_role && + !$rbacsystem->checkAccessOfUser($ilUser->getId(), 'edit_userassignment', ROLE_FOLDER_ID)) { + return $this->raiseError('Role access not permitted. ' . '(' . $role_id . ')', 'Server'); + } } else { // local roles $rolfs = $rbacreview->getFoldersAssignedToRole($role_id, true); From 846a0a4235e0929dc7e321699cd4f6fc55b237b2 Mon Sep 17 00:00:00 2001 From: Sagun Karki Date: Fri, 22 May 2026 12:14:04 +0200 Subject: [PATCH 3/3] fix: remove strict_types declaration from ilSoapObjectAdministration to restore SOAP compatibility (#0046688) --- .../ILIAS/soap/classes/class.ilSoapObjectAdministration.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/components/ILIAS/soap/classes/class.ilSoapObjectAdministration.php b/components/ILIAS/soap/classes/class.ilSoapObjectAdministration.php index 17d44587d4e5..6ca6cb56e500 100755 --- a/components/ILIAS/soap/classes/class.ilSoapObjectAdministration.php +++ b/components/ILIAS/soap/classes/class.ilSoapObjectAdministration.php @@ -16,8 +16,6 @@ * *********************************************************************/ -declare(strict_types=1); - /** * Soap object administration methods * @author Stefan Meyer