Index: lams_learning/src/java/org/lamsfoundation/lams/learning/web/action/LearnerAction.java
===================================================================
RCS file: /usr/local/cvsroot/lams_learning/src/java/org/lamsfoundation/lams/learning/web/action/LearnerAction.java,v
diff -u -r1.52 -r1.53
--- lams_learning/src/java/org/lamsfoundation/lams/learning/web/action/LearnerAction.java	20 Feb 2014 09:42:17 -0000	1.52
+++ lams_learning/src/java/org/lamsfoundation/lams/learning/web/action/LearnerAction.java	4 Aug 2014 15:41:31 -0000	1.53
@@ -78,8 +78,8 @@
  * 
  * @struts:action path="/learner" parameter="method" validate="false"
  * @struts:action-forward name="displayActivity" path="/DisplayActivity.do"
- * @struts:action-forward name="displayProgress" path="/progress.jsp" ----------------XDoclet Tags--------------------
- * 
+ * @struts:action-forward name="displayProgress" path="/progress.jsp"
+ * @struts:action-forward name="message" path=".message"
  */
 public class LearnerAction extends LamsDispatchAction {
     // ---------------------------------------------------------------------
@@ -156,6 +156,16 @@
 	    learner = LearningWebUtil.getUserId();
 	    long lessonID = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID);
 
+	    // security check
+	    Lesson lesson = learnerService.getLesson(lessonID);
+	    User user = (User) LearnerServiceProxy.getUserManagementService(getServlet().getServletContext()).findById(
+		    User.class, learner);
+	    if ((lesson.getLessonClass() == null) || !lesson.getLessonClass().getLearners().contains(user)) {
+		request.setAttribute("messageKey", "User " + user.getLogin()
+			+ " is not a learner in the requested lesson.");
+		return mapping.findForward("message");
+	    }
+
 	    if (LearnerAction.log.isDebugEnabled()) {
 		LearnerAction.log.debug("The learner [" + learner + "] is joining the lesson [" + lessonID + "]");
 	    }