From 74c9b0ccb7f990d95ab3eaaabbc483fddcb03679 Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Thu, 11 Oct 2007 06:24:57 +0000
Subject: [PATCH] fix prevent deleting of accounts via SyncML and to read
 private flag from the DB if missing

---
 addressbook/inc/class.bocontacts.inc.php | 21 +++++++++++++--------
 phpgwapi/inc/class.accounts_sql.inc.php  |  2 +-
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/addressbook/inc/class.bocontacts.inc.php b/addressbook/inc/class.bocontacts.inc.php
index 02456b77ef..07ecf075dc 100755
--- a/addressbook/inc/class.bocontacts.inc.php
+++ b/addressbook/inc/class.bocontacts.inc.php
@@ -392,9 +392,10 @@ class bocontacts extends socontacts
 	* deletes contact in db
 	*
 	* @param mixed &$contact contact array with key id or (array of) id(s)
+	* @param boolean $deny_account_delete=true if true never allow to delete accounts
 	* @return boolean true on success or false on failiure
 	*/
-	function delete($contact)
+	function delete($contact,$deny_account_delete=true)
 	{
 		if (is_array($contact) && isset($contact['id']))
 		{
@@ -413,7 +414,7 @@ class bocontacts extends socontacts
 		{
 			$id = is_array($c) ? $c['id'] : $c;
 
-			if ($this->check_perms(EGW_ACL_DELETE,$c) && parent::delete($id))
+			if ($this->check_perms(EGW_ACL_DELETE,$c,$deny_account_delete) && parent::delete($id))
 			{
 				$GLOBALS['egw']->link->unlink(0,'addressbook',$id);
 				$GLOBALS['egw']->contenthistory->updateTimeStamp('contacts', $id, 'delete', time());
@@ -438,11 +439,14 @@ class bocontacts extends socontacts
 		// remember if we add or update a entry
 		if (($isUpdate = $contact['id']))
 		{
-			if (!isset($contact['owner']))	// owner not set on update, eg. SyncML
+			if (!isset($contact['owner']) || !isset($contact['private']))	// owner/private not set on update, eg. SyncML
 			{
 				if (($old = $this->read($contact['id'])))	// --> try reading the old entry and set it from there
 				{
-					$contact['owner'] = $old['owner'];
+					if(!isset($contact['owner']))
+					{
+						$contact['owner'] = $old['owner'];
+					}
 					if(!isset($contact['private']))
 					{
 						$contact['private'] = $old['private'];
@@ -544,14 +548,15 @@ class bocontacts extends socontacts
 	*
 	* @param int $needed necessary ACL right: EGW_ACL_{READ|EDIT|DELETE}
 	* @param mixed $contact contact as array or the contact-id
-	* @return boolean true permission granted or false for permission denied
+	* @param boolean $deny_account_delete=false if true never allow to delete accounts
+	* @return boolean true permission granted, false for permission denied, null for contact does not exist
 	*/
-	function check_perms($needed,$contact)
+	function check_perms($needed,$contact,$deny_account_delete=false)
 	{
 		if ((!is_array($contact) || !isset($contact['owner'])) && 
 			!($contact = parent::read(is_array($contact) ? $contact['id'] : $contact)))
 		{
-			return false;
+			return null;
 		}
 		$owner = $contact['owner'];
 		
@@ -561,7 +566,7 @@ class bocontacts extends socontacts
 			return true;
 		}
 		// dont allow to delete own account (as admin handels it too)
-		if (!$owner && $needed == EGW_ACL_DELETE && $contact['account_id'] == $this->user)
+		if (!$owner && $needed == EGW_ACL_DELETE && ($deny_account_delete || $contact['account_id'] == $this->user))
 		{
 			return false;
 		}
diff --git a/phpgwapi/inc/class.accounts_sql.inc.php b/phpgwapi/inc/class.accounts_sql.inc.php
index 7a1358e95d..f1d03627a0 100644
--- a/phpgwapi/inc/class.accounts_sql.inc.php
+++ b/phpgwapi/inc/class.accounts_sql.inc.php
@@ -215,7 +215,7 @@ class accounts_backend
 			{
 				$GLOBALS['egw']->contacts =& CreateObject('phpgwapi.contacts');
 			}
-			$GLOBALS['egw']->contacts->delete($contact_id);
+			$GLOBALS['egw']->contacts->delete($contact_id,false);	// false = allow to delete accounts (!)
 		}
 		return true;
 	}