From 0f76ff5ab572542341946d50394a54555054b25f Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Tue, 22 Jan 2013 08:37:58 +0000 Subject: [PATCH] * CardDAV: fixed wrong privileges for accounts addressbook, causing clients to report it read-only even for admins --- .../inc/class.addressbook_groupdav.inc.php | 12 +++++++++++ addressbook/inc/class.addressbook_so.inc.php | 4 ++++ phpgwapi/inc/class.groupdav.inc.php | 2 +- phpgwapi/inc/class.groupdav_handler.inc.php | 21 ++++++++++++++----- 4 files changed, 33 insertions(+), 6 deletions(-) diff --git a/addressbook/inc/class.addressbook_groupdav.inc.php b/addressbook/inc/class.addressbook_groupdav.inc.php index 07480c9e99..af565fbad4 100644 --- a/addressbook/inc/class.addressbook_groupdav.inc.php +++ b/addressbook/inc/class.addressbook_groupdav.inc.php @@ -939,6 +939,18 @@ class addressbook_groupdav extends groupdav_handler return $this->bo->check_perms($acl,$contact); } + /** + * Get grants of current user and app + * + * Reimplemented to account for static LDAP ACL and accounts (owner=0) + * + * @return array user-id => EGW_ACL_ADD|EGW_ACL_READ|EGW_ACL_EDIT|EGW_ACL_DELETE pairs + */ + public function get_grants() + { + return $this->bo->get_grants($this->bo->user); + } + /** * Return calendars/addressbooks shared from other users with the current one * diff --git a/addressbook/inc/class.addressbook_so.inc.php b/addressbook/inc/class.addressbook_so.inc.php index b2e6c0c471..590ec576cd 100755 --- a/addressbook/inc/class.addressbook_so.inc.php +++ b/addressbook/inc/class.addressbook_so.inc.php @@ -354,11 +354,15 @@ class addressbook_so // therefor the param false! $grants = $GLOBALS['egw']->acl->get_grants($contact_app,false,$user); } + // grants for accounts: everyone read, admins edit, no-one add or delete (only via admin app!) + $grants[0] = EGW_ACL_READ; + if ($this->is_admin()) $grants[0] |= EGW_ACL_EDIT; } else { $grants = array(); } + //error_log(__METHOD__."($user, '$contact_app') returning ".array2string($grants)); return $grants; } diff --git a/phpgwapi/inc/class.groupdav.inc.php b/phpgwapi/inc/class.groupdav.inc.php index 739e1397d5..b429c741a1 100644 --- a/phpgwapi/inc/class.groupdav.inc.php +++ b/phpgwapi/inc/class.groupdav.inc.php @@ -912,7 +912,7 @@ class groupdav extends HTTP_WebDAV_Server $props['sync-token'] = $handler->get_sync_token($path,$user); } } - if ($handler && $user) + if ($handler && !is_null($user)) { return $this->add_collection($path, $props, $handler->current_user_privileges($path, $user)); } diff --git a/phpgwapi/inc/class.groupdav_handler.inc.php b/phpgwapi/inc/class.groupdav_handler.inc.php index 2f1094a8ed..a35641ef53 100644 --- a/phpgwapi/inc/class.groupdav_handler.inc.php +++ b/phpgwapi/inc/class.groupdav_handler.inc.php @@ -415,6 +415,16 @@ abstract class groupdav_handler return $agent; } + /** + * Get grants of current user and app + * + * @return array user-id => EGW_ACL_ADD|EGW_ACL_READ|EGW_ACL_EDIT|EGW_ACL_DELETE pairs + */ + public function get_grants() + { + return $this->acl->get_grants($this->app, $this->app != 'addressbook'); + } + /** * Return priviledges for current user, default is read and read-current-user-privilege-set * @@ -429,30 +439,31 @@ abstract class groupdav_handler static $grants; if (is_null($grants)) { - $grants = $this->acl->get_grants($this->app, $this->app != 'addressbook'); + $grants = $this->get_grants(); } $priviledes = array('read-current-user-privilege-set' => 'read-current-user-privilege-set'); - if (!$user || $grants[$user] & EGW_ACL_READ) + if (is_null($user) || $grants[$user] & EGW_ACL_READ) { $priviledes['read'] = 'read'; // allows on all calendars/addressbooks to write properties, as we store them on a per-user basis // and only allow to modify explicit named properties in CalDAV, CardDAV or Calendarserver name-space $priviledes['write-properties'] = 'write-properties'; } - if (!$user || $grants[$user] & EGW_ACL_ADD) + if (is_null($user) || $grants[$user] & EGW_ACL_ADD) { $priviledes['bind'] = 'bind'; // PUT for new resources } - if (!$user || $grants[$user] & EGW_ACL_EDIT) + if (is_null($user) || $grants[$user] & EGW_ACL_EDIT) { $priviledes['write-content'] = 'write-content'; // otherwise iOS calendar does not allow to add events } - if (!$user || $grants[$user] & EGW_ACL_DELETE) + if (is_null($user) || $grants[$user] & EGW_ACL_DELETE) { $priviledes['unbind'] = 'unbind'; // DELETE } // copy/move of existing resources might require write-properties, thought we do not support an explicit PROPATCH + //error_log(__METHOD__."('$path', ".array2string($user).') returning '.array2string($priviledes).' '.function_backtrace()); return $priviledes; }