Check user before allowing setActive

1694120f · Christoph Thelen · d82dfbec · 1694120f
Commit 1694120f authored 11 years ago by Christoph Thelen
--- a/src/main/java/de/thm/arsnova/services/SessionService.java
+++ b/src/main/java/de/thm/arsnova/services/SessionService.java
@@ -233,6 +233,10 @@ public class SessionService implements ISessionService {
 	@Override
 	public Session setActive(String sessionkey, Boolean lock) {
 		Session session = databaseDao.getSessionFromKeyword(sessionkey);
+		User user = userService.getCurrentUser();
+		if (!session.isCreator(user)) {
+			throw new ForbiddenException();
+		}
 		return databaseDao.lockSession(session, lock);
 	}