Fix(Soap): Add RBAC 'read' permission check to getSCORMCompletionStatus and hasSCORMCertificate to prevent unauthorized data access.

Signed-off-by: Releasemanager <webmaster@ilias.de>

Author: sKarki999

components/ILIAS/soap/classes/class.ilSoapSCORMAdministration.php

@@ -132,6 +132,13 @@ public function hasSCORMCertificate(string $sid, int $ref_id, int $usr_id)
             return $this->raiseError("Parent with ID $ref_id has been deleted.", 'Client');
         }
 
+        if (!$rbacsystem->checkAccess('read', $ref_id)) {
+            return $this->raiseError(
+                'No permission to read the object with id: ' . $ref_id,
+                'Server'
+            );
+        }
+
         $certValidator = new ilCertificateUserCertificateAccessValidator();
 
         return $certValidator->validate($usr_id, $obj_id);
@@ -153,6 +160,16 @@ public function getSCORMCompletionStatus(string $sid, int $a_usr_id, int $a_ref_
             return $this->raiseError('No ref_id given. Aborting!', 'Client');
         }
 
+        global $DIC;
+        $rbacsystem = $DIC['rbacsystem'];
+
+        if (!$rbacsystem->checkAccess('read', $a_ref_id)) {
+            return $this->raiseError(
+                'No permission to read the object with id: ' . $a_ref_id,
+                'Server'
+            );
+        }
+
         ilInitialisation::initILIAS();
 
         if (!$obj_id = ilObject::_lookupObjectId($a_ref_id)) {