From 2cf9b27321b4f9f9d0d857d829287e8518484097 Mon Sep 17 00:00:00 2001
From: Matheus Zych <mzych@databay.de>
Date: Wed, 4 Feb 2026 11:22:58 +0100
Subject: [PATCH] TestQuestionPool: Enforce Access on Global Units

See: https://mantis.ilias.de/view.php?id=47122

`ilUnitConfigurationGUI::checkPermissions()` now validates commands via `ilRbacSystem`: overview commands require `read`, modifying commands require `write`, with failure message and redirect. The add-unit toolbar action and `ilUnitTableGUI` CRUD UI (multiselect, sequence inputs, actions) are shown only when the user has `write` on the object ref. Also normalizes newline at end of `tpl.unit_row_html`.
---
 .../classes/class.ilUnitConfigurationGUI.php  | 20 ++++++++++++++++++-
 .../classes/tables/class.ilUnitTableGUI.php   | 17 ++++++++++++++--
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/components/ILIAS/TestQuestionPool/classes/class.ilUnitConfigurationGUI.php b/components/ILIAS/TestQuestionPool/classes/class.ilUnitConfigurationGUI.php
index 2fdc9bc9fa5c..8c45d04839ca 100755
--- a/components/ILIAS/TestQuestionPool/classes/class.ilUnitConfigurationGUI.php
+++ b/components/ILIAS/TestQuestionPool/classes/class.ilUnitConfigurationGUI.php
@@ -32,6 +32,7 @@ abstract class ilUnitConfigurationGUI
     protected ilGlobalTemplateInterface $tpl;
     protected ilLanguage $lng;
     protected ilCtrlInterface $ctrl;
+    protected ilRbacSystem $rbac_system;
 
     public function __construct(
         protected ilUnitConfigurationRepository $repository
@@ -40,6 +41,7 @@ public function __construct(
         $this->lng = $DIC->language();
         $this->ctrl = $DIC->ctrl();
         $this->tpl = $DIC->ui()->mainTemplate();
+        $this->rbac_system = $DIC->rbac()->system();
 
         $local_dic = QuestionPoolDIC::dic();
         $this->request = $local_dic['request_data_collector'];
@@ -74,6 +76,22 @@ protected function handleSubtabs(): void
 
     protected function checkPermissions(string $cmd): void
     {
+        if (!$this->rbac_system->checkAccess('read', $this->request->getRefId())) {
+            $this->tpl->setOnScreenMessage('failure', $this->lng->txt('permission_denied'), true);
+            $this->ctrl->redirectToURL(ilUserUtil::getStartingPointAsUrl());
+            return;
+        }
+
+        if (in_array($cmd, ['showUnitCategories', 'showUnitsOfCategory', 'showGlobalUnitCategories'], true)) {
+            return;
+        }
+
+        if ($this->rbac_system->checkAccess('write', $this->request->getRefId())) {
+            return;
+        }
+
+        $this->tpl->setOnScreenMessage('failure', $this->lng->txt('permission_denied'), true);
+        $this->ctrl->redirect($this, $this->getDefaultCommand());
     }
 
     public function executeCommand(): void
@@ -462,7 +480,7 @@ protected function showUnitsOfCategory(): void
             $this->lng->txt('back'),
             $this->ctrl->getLinkTarget($this, $this->getUnitCategoryOverviewCommand())
         );
-        if ($this->isCRUDContext()) {
+        if ($this->isCRUDContext() && $this->rbac_system->checkAccess('write', $this->request->getRefId())) {
             $this->ctrl->setParameterByClass(get_class($this), 'category_id', $category->getId());
             $ilToolbar->addButton(
                 $this->lng->txt('un_add_unit'),
diff --git a/components/ILIAS/TestQuestionPool/classes/tables/class.ilUnitTableGUI.php b/components/ILIAS/TestQuestionPool/classes/tables/class.ilUnitTableGUI.php
index c394bce4bd4c..1e243411269d 100755
--- a/components/ILIAS/TestQuestionPool/classes/tables/class.ilUnitTableGUI.php
+++ b/components/ILIAS/TestQuestionPool/classes/tables/class.ilUnitTableGUI.php
@@ -16,6 +16,9 @@
  *
  *********************************************************************/
 
+use ILIAS\TestQuestionPool\QuestionPoolDIC;
+use ILIAS\TestQuestionPool\RequestDataCollector;
+
 /**
  * Class ilUnitTableGUI
  */
@@ -27,6 +30,8 @@ class ilUnitTableGUI extends ilTable2GUI
     private $position = 1;
     private \ILIAS\UI\Factory $ui_factory;
     private \ILIAS\UI\Renderer $ui_renderer;
+    private ilRbacSystem $rbac_system;
+    private RequestDataCollector $request;
 
     /**
      * @param ilUnitConfigurationGUI         $controller
@@ -44,6 +49,8 @@ public function __construct(ilUnitConfigurationGUI $controller, $default_cmd, as
         $lng = $DIC['lng'];
         $this->ui_factory = $DIC->ui()->factory();
         $this->ui_renderer = $DIC->ui()->renderer();
+        $this->rbac_system = $DIC->rbac()->system();
+        $this->request = QuestionPoolDIC::dic()['request_data_collector'];
 
         $this->setId('units_' . $controller->getUniqueId());
 
@@ -51,7 +58,10 @@ public function __construct(ilUnitConfigurationGUI $controller, $default_cmd, as
 
         $ilCtrl->setParameter($this->getParentObject(), 'category_id', $category->getId());
 
-        if ($this->getParentObject()->isCRUDContext()) {
+        if (
+            $this->getParentObject()?->isCRUDContext()
+            && $this->rbac_system->checkAccess('write', $this->request->getRefId())
+        ) {
             $this->addColumn('', '', '1%', true);
             $this->setSelectAllCheckbox('unit_ids[]');
             $this->addMultiCommand('confirmDeleteUnits', $this->lng->txt('delete'));
@@ -88,7 +98,10 @@ public function fillRow(array $a_set): void
         global $DIC;
         $ilCtrl = $DIC['ilCtrl'];
 
-        if ($this->getParentObject()->isCRUDContext()) {
+        if (
+            $this->getParentObject()?->isCRUDContext()
+            && $this->rbac_system->checkAccess('write', $this->request->getRefId())
+        ) {
             $a_set['chb'] = ilLegacyFormElementsUtil::formCheckbox(false, 'unit_ids[]', $a_set['unit_id']);
 
             $sequence = new ilNumberInputGUI('', 'sequence[' . $a_set['unit_id'] . ']');