gocodebox · brianhogg · Feb 17, 2025 · Feb 17, 2025 · Feb 18, 2025 · Feb 18, 2025
@@ -0,0 +1,4 @@
+significance: patch
+type: fixed
+entry: Adds additional verifications on permission for bulk enrolls, and REST
+  API access for instructors.
@@ -73,6 +73,10 @@ public function __construct() {
 	 */
 	public function display_product_selection_for_bulk_users( $which ) {
 
+		if ( ! current_user_can( 'manage_lifterlms' ) ) {
+			return;
+		}
+
 		// The attributes need to be different for top and bottom of the table.
 		$id     = 'bottom' === $which ? 'llms_bulk_enroll_product2' : 'llms_bulk_enroll_product';
 		$submit = 'bottom' === $which ? 'llms_bulk_enroll2' : 'llms_bulk_enroll';
@@ -114,6 +118,12 @@ public function maybe_enroll_users_in_product() {
 			return;
 		}
 
+		if ( ! current_user_can( 'enroll', $this->product_id ) ) {
+			$message = __( 'You do not have permission to enroll users into this course or membership.', 'lifterlms' );
+			$this->generate_notice( 'error', $message );
+			return;
+		}
+
 		// Get the product title for notices.
 		$this->product_title = get_the_title( $this->product_id );
 

@@ -35,7 +35,7 @@ public function __construct() {
 
 		add_filter( 'user_has_cap', array( $this, 'handle_caps' ), 10, 3 );
 		add_filter( 'editable_roles', array( $this, 'editable_roles' ) );
-
+		add_filter( 'rest_user_query', array( $this, 'filter_rest_user_query' ), 10, 2 );
 	}
 
 	/**
@@ -98,7 +98,45 @@ public function editable_roles( $all_roles ) {
 		}
 
 		return $all_roles;
+	}
+
+	/**
+	 * Filter the WP_User_Query args to ensure that instructors can only see their students
+	 *
+	 * @since [version]
+	 *
+	 * @param array           $args WP_User_Query args.
+	 * @param WP_REST_Request $request Request object.
+	 * @return array
+	 */
+	public function filter_rest_user_query( $args, $request ) {
+
+		$user = wp_get_current_user();
+
+		if ( ! $user ) {
+			return $args;
+		}
+
+		if ( ! in_array( 'instructor', $user->roles, true ) ) {
+			return $args;
+		}
+
+		$instructor = llms_get_instructor( $user );
 
+		if ( ! $instructor ) {
+			return $args;
+		}
+
+		$student_query = $instructor->get_students( array( 'statuses' => array( 'enrolled' ) ) );
+		$students      = $student_query->get_results();
+
+		if ( empty( $students ) ) {
+			$args['include'] = array( 0 );
+		} else {
+			$args['include'] = wp_list_pluck( $students, 'id' );
+		}
+
+		return $args;
 	}
 
 	/**
@@ -137,7 +175,6 @@ public function edit_others_lms_content( $allcaps, $cap, $args ) {
 		}
 
 		return $allcaps;
-
 	}
 
 	/**
@@ -165,7 +202,6 @@ public static function get_editable_roles() {
 		);
 
 		return $roles;
-
 	}
 
 	/**
@@ -198,10 +234,10 @@ private function handle_cap_view_grades( $allcaps, $args ) {
 			return $allcaps;
 		}
 
-		$requested_cap = $args[0];
-		$current_user_id = intval( $args[1] );
+		$requested_cap     = $args[0];
+		$current_user_id   = intval( $args[1] );
 		$requested_user_id = intval( $args[2] );
-		$post_id = isset( $args[3] ) ? intval( $args[3] ) : false;
+		$post_id           = isset( $args[3] ) ? intval( $args[3] ) : false;
 
 		// Administrators and LMS managers explicitly have the cap so we don't need to perform any further checks.
 		if ( ! empty( $allcaps[ $requested_cap ] ) ) {
@@ -222,7 +258,6 @@ private function handle_cap_view_grades( $allcaps, $args ) {
 		}
 
 		return $allcaps;
-
 	}
 
 	/**
@@ -295,7 +330,6 @@ public function handle_caps( $allcaps, $cap, $args ) {
 		}
 
 		return $allcaps;
-
 	}
 
 	/**
@@ -308,7 +342,6 @@ public function handle_caps( $allcaps, $cap, $args ) {
 	public static function is_current_user_instructor() {
 
 		return ( current_user_can( 'lifterlms_instructor' ) && current_user_can( 'list_users' ) && ! current_user_can( 'manage_lifterlms' ) );
-
 	}
 
 	/**
@@ -384,7 +417,6 @@ protected function user_can_manage_user( $user_id, $edit_id ) {
 		}
 
 		return false;
-
 	}
 
 	/**
@@ -396,14 +428,11 @@ protected function user_can_manage_user( $user_id, $edit_id ) {
 	 * @param int $requested_user_id WP User ID of the user the action will be performed on.
 	 * @return bool Returns true if the user has the student, false if it doesn't
 	 */
-	protected function instructor_has_student( $current_user_id, $requested_user_id )
-	{
+	protected function instructor_has_student( $current_user_id, $requested_user_id ) {
 
 		$instructor = llms_get_instructor( $current_user_id );
 		return $instructor && $instructor->has_student( $requested_user_id );
-
 	}
-
 }
 
 return new LLMS_User_Permissions();