From 75f04ec83445338d6ed1019e2ebe91456e144e7c Mon Sep 17 00:00:00 2001 From: mgalgoci Date: Thu, 2 Sep 2004 21:28:30 +0000 Subject: [PATCH] Fix issue where people invited to a private event were unable view the event let alone view the event details. invitees are now allowed to view the event details as well as accept their invitation to the event. NB: - if an invitee has granted another user private access to the invitee's calendar, the user to which private access has been granted is UNABLE to view the details of the event. - if the person who created the event and marked the event private has granted another user access to that person's private events, then the person granted private access WILL be able to see the details of the event. - at most, uninvited third parties will only see that a private event is taking place at some time, but only if they have at least read access to the calendar of one of the people invited to the event. I hope this makes sense. I've tested this extensively to make sure I am not accidently granting access to private events that should be kept private. --- calendar/inc/class.bocalendar.inc.php | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/calendar/inc/class.bocalendar.inc.php b/calendar/inc/class.bocalendar.inc.php index 708ad56b9c..ddd65cf4d4 100755 --- a/calendar/inc/class.bocalendar.inc.php +++ b/calendar/inc/class.bocalendar.inc.php @@ -1465,6 +1465,7 @@ function check_perms($needed,$event=0,$other=0) { $event_in = $event; + if (is_int($event) && $event == 0) { $owner = $other > 0 ? $other : $this->owner; @@ -1486,19 +1487,20 @@ $owner = $event['owner']; $private = $event['public'] == False || $event['public'] == 0; } + $user = $GLOBALS['phpgw_info']['user']['account_id']; + $grants = $this->grants[$owner]; if (is_array($event) && $needed == PHPGW_ACL_READ) { - // Check if the $user is one of the participants or has a read-grant from one of them - // + /* grant read access if the $user is one of the participants. */ if (isset($event['participants']) && is_array($event['participants'])) { foreach($event['participants'] as $uid => $accept) { - if ($this->grants[$uid] & PHPGW_ACL_READ || $uid == $user) - { + if ($uid == $user) + { $grants |= PHPGW_ACL_READ; break; } @@ -1508,12 +1510,13 @@ if ($GLOBALS['phpgw']->accounts->get_type($owner) == 'g' && $needed == PHPGW_ACL_ADD) { - $access = False; // a group can't be the owner of an event + $access = False; /* a group can't be the owner of an event. why not?! */ } else { $access = $user == $owner || $grants & $needed && (!$private || $grants & PHPGW_ACL_PRIVATE); } + //echo "

".function_backtrace()." check_perms($needed,$event_id,$other) for user $user and needed_acl $needed: event='$event[title]': owner=$owner, private=$private, grants=$grants ==> access=$access

\n"; return $access;