Fix(Soap): Add RBAC 'read' permission check to getSCORMCompletionStatus and hasSCORMCertificate to prevent unauthorized data access.

Signed-off-by: Releasemanager <webmaster@ilias.de>

Author: sKarki999

webservice/soap/classes/class.ilSoapSCORMAdministration.php

@@ -136,6 +136,10 @@ public function hasSCORMCertificate(string $sid, int $ref_id, int $usr_id)
             return $this->raiseError("Parent with ID $ref_id has been deleted.", 'Client');
         }
 
+        if(!$rbacsystem->checkAccess('read', $ref_id)) {
+            return $this->raiseError('No Permission to read object with ref_id ' . $ref_id, 'Client');
+        }
+
         $certValidator = new ilCertificateUserCertificateAccessValidator();
 
         return $certValidator->validate($usr_id, $obj_id);
@@ -166,6 +170,13 @@ public function getSCORMCompletionStatus(string $sid, int $a_usr_id, int $a_ref_
             );
         }
 
+        global $DIC;
+        $rbacsystem = $DIC['rbacsystem'];
+
+        if (!$rbacsystem->checkAccess('read', $a_ref_id)) {
+            return $this->raiseError('No permission to read object with ref_id ' . $a_ref_id, 'Client');
+        }
+
         include_once 'Services/Tracking/classes/class.ilLPStatus.php';
         include_once 'Services/Tracking/classes/class.ilObjUserTracking.php';