Index: lams_learning/src/java/org/lamsfoundation/lams/learning/web/action/LearnerAction.java
===================================================================
diff -u -r79add7aa4fc06ca2cc260306f2e33f987a0b4bcb -r656c0d80747b967ea9ec09add791b195898e729e
--- lams_learning/src/java/org/lamsfoundation/lams/learning/web/action/LearnerAction.java	(.../LearnerAction.java)	(revision 79add7aa4fc06ca2cc260306f2e33f987a0b4bcb)
+++ lams_learning/src/java/org/lamsfoundation/lams/learning/web/action/LearnerAction.java	(.../LearnerAction.java)	(revision 656c0d80747b967ea9ec09add791b195898e729e)
@@ -78,8 +78,8 @@
  * 
  * @struts:action path="/learner" parameter="method" validate="false"
  * @struts:action-forward name="displayActivity" path="/DisplayActivity.do"
- * @struts:action-forward name="displayProgress" path="/progress.jsp" ----------------XDoclet Tags--------------------
- * 
+ * @struts:action-forward name="displayProgress" path="/progress.jsp"
+ * @struts:action-forward name="message" path=".message"
  */
 public class LearnerAction extends LamsDispatchAction {
     // ---------------------------------------------------------------------
@@ -156,6 +156,16 @@
 	    learner = LearningWebUtil.getUserId();
 	    long lessonID = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID);
 
+	    // security check
+	    Lesson lesson = learnerService.getLesson(lessonID);
+	    User user = (User) LearnerServiceProxy.getUserManagementService(getServlet().getServletContext()).findById(
+		    User.class, learner);
+	    if ((lesson.getLessonClass() == null) || !lesson.getLessonClass().getLearners().contains(user)) {
+		request.setAttribute("messageKey", "User " + user.getLogin()
+			+ " is not a learner in the requested lesson.");
+		return mapping.findForward("message");
+	    }
+
 	    if (LearnerAction.log.isDebugEnabled()) {
 		LearnerAction.log.debug("The learner [" + learner + "] is joining the lesson [" + lessonID + "]");
 	    }