Instructors and instructor assistants are able to view courses to which they are not assigned

[robbiefarai]

Reproduction Steps

• Add the instructor role to a user
• login as the instructor and go to the courses in the back end
• you will be able to see and click view on any other course and view the content even though you are not enrolled

Expected Behavior

• Not able to see other instructors courses and content therein

Actual Behavior

• able to view and see all of the content for all courses

Error Messages / Logs

• Include any relevant error messages or log files

  
  <!-- Paste error logs / backtraces below this line -->

### System and Environment Information

<details>
<summary>System Report</summary>

<!-- Paste your System Report between the three backticks below this line -->

Wordpress

Home Url: https://tacfit.com Site Url: https://tacfit.com Login Url: https://tacfit.com/wp-login.php Version: 5.9 Debug Mode: No Debug Log: No Debug Display: No Locale: en_US Multisite: No Page For Posts: Blog (#538) [https://tacfit.com/blog/] Page On Front: TACFIT 2021 (#32805) [https://tacfit.com/] Permalink Structure: /%postname%/ Show On Front: page Wp Cron: Yes

Settings

Version: 5.8.0 Db Version: 5.8.0 Course Catalog: My Courses (#47133) [https://tacfit.com/my-courses/] Membership Catalog: Membership Catalog (#44839) [https://tacfit.com/memberships/] Student Dashboard: Dashboard (#44841) [https://tacfit.com/dashboard/] Checkout Page: Purchase (#44840) [https://tacfit.com/purchase/] Course Catalog Per Page: -1 Course Catalog Sorting: title,ASC Membership Catalog Per Page: -1 Membership Catalog Sorting: menu_order,ASC Site Membership: Not Set Courses Endpoint: my-courses Edit Endpoint: edit-account Lost Password Endpoint: lost-password Vouchers Endpoint: redeem-voucher Autogenerate Username: no Password Strength Meter: no Minimum Password Strength: Terms Required: no Terms Page: Not Set Checkout Names: Checkout Address: Checkout Phone: Checkout Email Confirmation: no Open Registration: no Registration Names: Registration Address: Registration Phone: Registration Voucher: Registration Email Confirmation: no Account Names: Account Address: Account Phone: Account Email Confirmation: no Confirmation Endpoint: confirm-payment Force Ssl Checkout: no Country: US Currency: USD Currency Position: left Thousand Separator: , Decimal Separator: . Decimals: 2 Trim Zero Decimals: yes Recurring Payments: yes Email From Address: info@tacfit.com Email From Name: TACFIT® Email Footer Text: Email Header Image: 40805 Cert Bg Width: 800 Cert Bg Height: 616 Cert Legacy Compat: no

Constants

LLMS_REMOVE_ALL_DATA: undefined LLMS_REST_DISABLE: undefined LLMS_SITE_FEATURE_RECURRING_PAYMENTS: undefined LLMS_SITE_IS_CLONE: undefined

Gateways

Manual: Disabled Manual Logging: Manual Order: 1

Server

Mysql Version: 5.5.5 Php Curl: Yes Php Default Timezone: UTC Php Fsockopen: Yes Php Max Input Vars: 16384 Php Max Upload Size: 2 GB Php Memory Limit: 2048M Php Post Max Size: 1536M Php Soap: Yes Php Suhosin: No Php Time Limt: 600 Php Version: 7.3.33 Software: Apache Wp Memory Limit: 512M

Browser

HTTP USER AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15

Theme

Name: TACFIT 2021 Version: 1.75 Themeuri: https://www.tacfit.com Authoruri: https://www.tacfit.com Template: Child Theme: No Llms Support: No

Plugins

301 Redirects: 2.72 Advanced Coupons for WooCommerce Free: 3.1.2 Advanced Coupons for WooCommerce Premium: 3.1 Advanced Custom Fields PRO: 5.11.4 Advanced Order Export For WooCommerce: 3.2.2 Affiliate For WooCommerce: 3.13.0 Akismet Anti-Spam: 4.2.2 Cookie Notice & Compliance for GDPR / CCPA: 2.2.1 Facebook for WooCommerce: 2.6.9 FooEvents for WooCommerce: 1.14.23 FooEvents Multi-Day: 1.5.3 Gravity Forms: 2.5.16 Gravity Forms Advanced Post Creation Add-On: 1.0 Gravity Forms AWeber Add-On: 2.11 Groundhogg: 2.5.7.9 Groundhogg - Advanced Email Preferences: 1.0.8 Groundhogg - Advanced Features: 2.2.10 Groundhogg - AWS: 2.6.5 Groundhogg - Birthdays: 2.0.3 Groundhogg - Companies: 1.1.1 Groundhogg - Conditional Funnel Logic: 1.0.6 Groundhogg - Content Restriction: 2.1.2.1 Groundhogg - Contracts: 2.1.2 Groundhogg - Email Countdown Timer: 2.1.1 Groundhogg - Form Styling: 2.0.1 Groundhogg - Helper: 1.0.5 Groundhogg - Lead Scoring: 3.0.2 Groundhogg - Sales Pipeline: 3.0.10 Groundhogg - SMS: 2.3.1 Groundhogg - Social Proof: 2.2 Groundhogg - WooCommerce Integration: 2.4.1 Klaviyo: 2.5.5 LifterLMS: 5.8.0 LifterLMS Advanced Quizzes: 2.0.0 LifterLMS Advanced Videos: 1.0.0-beta.17 LifterLMS Assignments: 1.2.0 LifterLMS Custom Fields: 2.0.2 LifterLMS Formidable Forms: 1.0.4 LifterLMS Groups: 1.0.0-beta.18 LifterLMS Helper: 3.4.1 LifterLMS PDFs: 1.0.0 LifterLMS Private Areas: 1.1.5 LifterLMS WooCommerce: 2.2.1 Members: 3.1.7 PixelYourSite PRO: 8.6.6 Product Bundles - Bulk Discounts: 1.3.9 Product Bundles - Variation Bundles: 1.1.3 Product Customer List for WooCommerce: 2.9.3 Refersion for WooCommerce: 4.9.2 Regenerate Thumbnails: 3.1.5 TACFIT Locations: 1.0.0 User Switching: 1.5.8 WooCommerce: 6.1.1 WooCommerce - ShipStation Integration: 4.1.48 WooCommerce Customer/Order/Coupon Export: 5.3.3 WooCommerce Deposits: 2.3.0 WooCommerce Extended Coupon Features FREE: 3.2.8 WooCommerce FedEx Shipping Plugin with Print Label: 4.9.7 WooCommerce Gift Cards: 1.10.0 WooCommerce PayPal Here Gateway: 1.1.3 WooCommerce PayPal Payments: 1.6.5 WooCommerce PDF Invoices & Packing Slips: 2.12.1 WooCommerce PDF Product Vouchers: 3.9.15 WooCommerce Pre-Orders: 1.6.0 WooCommerce Product Bundles: 6.13.3 WooCommerce Product CSV Import Suite: 1.10.46 WooCommerce Shipment Tracking: 1.6.31 WooCommerce Shipping & Tax: 1.25.22 WooCommerce Stripe Gateway: 6.1.0 WooCommerce Subscriptions: 4.0.1 WooCommerce Sync for QuickBooks Online - by MyWorks Software: 2.4.0 WooCommerce USPS Shipping: 4.4.69 WooCommerce Waitlist: 2.3.2 Wordfence Security: 7.5.8 WP Downloader: 2.0 WP Offload SES Lite: 1.4.6 WP Product Feed Manager: 1.38.0 Yoast Duplicate Post: 4.4 Yoast SEO: 18.0

Integrations

BbPress: No BuddyPress: No LifterLMS Groups: Yes LifterLMS Formidable Forms: No WooCommerce: Yes LifterLMS Private Areas: No Videos: Vimeo: No Videos: Wistia: No Videos: YouTube: No

Template Overrides

</details>

This issue has be recreated:
+ [ ] Locally
+ [ ] On a staging site
+ [x] On a production website
+ [ ] With only LifterLMS and a default theme

### Browser, Device, and Operating System Information

+ Safari Version 15.2 (17612.3.6.1.6)
+ macOS Monterey versio 12.1
+ MacBook Air (M1 2020)

[thomasplevy]

Looks like we've created this issue here:

https://github.com/gocodebox/lifterlms/blob/18d938219de427cbf4c57894dc7b81c87ebafd45/includes/class.llms.view.manager.php#L396-L401

For roles other than admin/lms manager we should be additionally checking on the user's permissions for the requested course.