Security: Exercise: Do not permit access to questions review if the a…

…ttempt is not of the connected user -refs BT#21295
chamilo · Dec 20, 2023 · 0b4df28 · 0b4df28
1 parent 7e4d11f
commit 0b4df28
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/main/exercise/exercise_reminder.php b/main/exercise/exercise_reminder.php
@@ -73,7 +73,7 @@
     $question_list = explode(',', $exercise_stat_info['data_tracking']);
 }
 
-if (empty($exercise_stat_info) || empty($question_list)) {
+if (empty($exercise_stat_info) || empty($question_list) || $exercise_stat_info['exe_user_id'] != api_get_user_id()) {
     api_not_allowed();
 }