From ec25fd29ebfc74a8f68bf2ffec47b30f2af96553 Mon Sep 17 00:00:00 2001
From: Christoph Ludolf <ludolf@leifos.de>
Date: Wed, 11 Mar 2026 14:58:56 +0100
Subject: [PATCH] Skill: add delete tree permission check

---
 .../Skill/Access/class.SkillTreeAccess.php    | 11 +++++++++
 .../Skill/Tree/class.ilObjSkillTreeGUI.php    | 23 +++++++++++++++++--
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/components/ILIAS/Skill/Access/class.SkillTreeAccess.php b/components/ILIAS/Skill/Access/class.SkillTreeAccess.php
index af3dac5ff940..d8fe223170d3 100755
--- a/components/ILIAS/Skill/Access/class.SkillTreeAccess.php
+++ b/components/ILIAS/Skill/Access/class.SkillTreeAccess.php
@@ -116,4 +116,15 @@ public function hasManageProfilesPermission(int $a_usr_id = 0): bool
         }
         return $this->access->checkAccessOfUser($a_usr_id, "manage_profiles", $this->ref_id);
     }
+
+    public function hasDeleteTreePermission(int $a_tree_ref_id = 0, int $a_usr_id = 0): bool
+    {
+        if ($a_tree_ref_id == 0) {
+            $a_tree_ref_id = $this->ref_id;
+        }
+        if ($a_usr_id == 0) {
+            $a_usr_id = $this->usr_id;
+        }
+        return $this->access->checkAccessOfUser($a_usr_id, "delete", $a_tree_ref_id);
+    }
 }
diff --git a/components/ILIAS/Skill/Tree/class.ilObjSkillTreeGUI.php b/components/ILIAS/Skill/Tree/class.ilObjSkillTreeGUI.php
index 19db5b6ea155..1b823d5f31ed 100755
--- a/components/ILIAS/Skill/Tree/class.ilObjSkillTreeGUI.php
+++ b/components/ILIAS/Skill/Tree/class.ilObjSkillTreeGUI.php
@@ -27,6 +27,7 @@
 use ILIAS\Skill\Usage;
 use ILIAS\UI\Component\Input\Container\Form;
 use ILIAS\GlobalScreen\ScreenContext;
+use ILIAS\UICore\GlobalTemplate;
 
 /**
  * Skill tree gui class
@@ -461,6 +462,7 @@ public function delete(): void
     {
         $ctrl = $this->ctrl;
 
+        $node_ids = [];
         if ($this->requested_table_action === "deleteTrees"
             && !empty($this->requested_table_tree_ids)
             && $this->requested_table_tree_ids[0] === "ALL_OBJECTS"
@@ -468,12 +470,29 @@ public function delete(): void
             $all_trees = $this->skill_tree_manager->getTrees();
             foreach ($all_trees as $tree_obj) {
                 $tree = $this->skill_tree_factory->getTreeById($tree_obj->getId());
-                $this->requested_node_ids[] = $tree->readRootId();
+                $node_ids[] = $tree->readRootId();
             }
         } elseif ($this->requested_table_action === "deleteTrees") {
-            $this->requested_node_ids = array_map("intval", $this->requested_table_tree_ids);
+            $node_ids = array_map("intval", $this->requested_table_tree_ids);
         }
 
+        $remaining_node_ids = [];
+        foreach ($node_ids as $id) {
+            $tree_id = $this->skill_tree_repo->getTreeIdForNodeId($id);
+            $tree_obj = $this->skill_tree_manager->getTree($tree_id);
+            if (!$this->skill_tree_access_manager->hasDeleteTreePermission($tree_obj->getRefId())) {
+                continue;
+            }
+            $remaining_node_ids[] = $id;
+        }
+
+        if (count($remaining_node_ids) != count($node_ids)) {
+            $this->tpl->setOnScreenMessage(GlobalTemplate::MESSAGE_TYPE_FAILURE, $this->lng->txt("no_permission"), true);
+            $this->ctrl->redirectByClass("ilskilltreeadmingui", "listTrees");
+            return;
+        }
+
+        $this->requested_node_ids = $remaining_node_ids;
         $this->deleteNodes($this);
     }