Index: lams_learning/src/java/org/lamsfoundation/lams/learning/web/action/CompleteActivityAction.java
===================================================================
diff -u -rfd1c6c450376476c752e6be5cb6048a2e370bd42 -re592c4068d9ae0e9d9ab98bf5cb566b3457508f6
--- lams_learning/src/java/org/lamsfoundation/lams/learning/web/action/CompleteActivityAction.java	(.../CompleteActivityAction.java)	(revision fd1c6c450376476c752e6be5cb6048a2e370bd42)
+++ lams_learning/src/java/org/lamsfoundation/lams/learning/web/action/CompleteActivityAction.java	(.../CompleteActivityAction.java)	(revision e592c4068d9ae0e9d9ab98bf5cb566b3457508f6)
@@ -80,6 +80,12 @@
 	// live edit, and then the lock flag can't be checked correctly.
 	LearnerProgress progress = learnerService
 		.getProgressById(WebUtil.readLongParam(request, AttributeNames.PARAM_LEARNER_PROGRESS_ID, true));
+	if (!progress.getUser().getUserId().equals(learnerId)) {
+	    response.sendError(HttpServletResponse.SC_FORBIDDEN, "Current learner does not own the given progress");
+	    log.error("Learner " + learnerId + " tried to complete an activity for progress "
+		    + progress.getLearnerProgressId() + " which does not belong to him");
+	    return null;
+	}
 
 	// if user has already completed the lesson - we need to let integrations servers know to come and pick up
 	// updated marks (as it won't happen at lessoncomplete.jsp page)