From 8d947ea81b8489b2a7d6b38aa2df8f651f73bb1d Mon Sep 17 00:00:00 2001
From: Julie Lenaerts <julielenaerts@gmail.com>
Date: Wed, 20 Oct 2021 13:37:27 +0200
Subject: [PATCH] viewing permission checked for returned accompanying periods
 by-person

---
 .../Controller/AccompanyingCourseApiController.php          | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/Bundle/ChillPersonBundle/Controller/AccompanyingCourseApiController.php b/src/Bundle/ChillPersonBundle/Controller/AccompanyingCourseApiController.php
index e7243fba1..891a0f461 100644
--- a/src/Bundle/ChillPersonBundle/Controller/AccompanyingCourseApiController.php
+++ b/src/Bundle/ChillPersonBundle/Controller/AccompanyingCourseApiController.php
@@ -207,7 +207,11 @@ $workflow = $this->registry->get($accompanyingPeriod);
      */
     public function getAccompanyingPeriodsByPerson(Person $person){
         $accompanyingPeriods = $person->getAccompanyingPeriods();
-        return $this->json(\array_values($accompanyingPeriods), Response::HTTP_OK, [], ['groups' => [ 'read']]);
+        $accompanyingPeriodsChecked = array_filter($accompanyingPeriods,
+            function(AccompanyingPeriod $period){
+                return $this->isGranted(AccompanyingPeriodVoter::SEE, $period);
+            });
+        return $this->json(\array_values($accompanyingPeriodsChecked), Response::HTTP_OK, [], ['groups' => [ 'read']]);
     }
 
 }