extern/egroupware
1
0
Fork 1
mirror of https://github.com/EGroupware/egroupware.git synced 2024-10-05 17:52:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

* Calendar: not using freebusy rights for searching calendar, as it would allow to probe for event contents

Browse Source 
- optimised private event filter for searching to not query private grants (again) from database
This commit is contained in:
Ralf Becker 2011-08-16 10:20:40 +00:00
parent 4fe9d951a8
commit 8996f45e9e
2 changed files with 22 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
calendar/inc/class.calendar_bo.inc.php
View File

@ -313,9 +313,10 @@ class calendar_bo
* @param int|array $_users
* @param boolean $no_enum_groups=true
* @param boolean $ignore_acl=false
* @param boolean $use_freebusy=true should freebusy rights are taken into account, default true, can be set to false eg. for a search
* @return array of user-ids
*/
private function resolve_users($_users, $no_enum_groups=true, $ignore_acl=false)
private function resolve_users($_users, $no_enum_groups=true, $ignore_acl=false, $use_freebusy=true)
{
if (!is_array($_users))
{
@ -326,7 +327,7 @@ class calendar_bo
foreach($_users as $user)
{
$user = trim($user);
if ($params['ignore_acl'] || $this->check_perms(EGW_ACL_READ|EGW_ACL_READ_FOR_PARTICIPANTS|EGW_ACL_FREEBUSY,0,$user))
if ($ignore_acl || $this->check_perms(EGW_ACL_READ|EGW_ACL_READ_FOR_PARTICIPANTS|($use_freebusy?EGW_ACL_FREEBUSY:0),0,$user))
{
if ($user && !in_array($user,$users)) // already added?
{
@ -352,7 +353,7 @@ class calendar_bo
{
// use only members which gave the user a read-grant
if (!in_array($member['account_id'],$users) &&
($params['ignore_acl'] || $this->check_perms(EGW_ACL_READ|EGW_ACL_FREEBUSY,0,$member['account_id'])))
($params['ignore_acl'] || $this->check_perms(EGW_ACL_READ|($use_freebusy?EGW_ACL_FREEBUSY:0),0,$member['account_id'])))
{
$users[] = $member['account_id'];
}
@ -428,7 +429,18 @@ class calendar_bo
$params['users'] = $params['query'] ? array_keys($this->grants) : $this->user;
}
// resolve users to add memberships for users and members for groups
$users = $this->resolve_users($params['users'], $params['filter'] == 'no-enum-groups', $params['ignore_acl']);
// for search, do NOT use freebusy rights, as it would allow to probe the content of event entries
$users = $this->resolve_users($params['users'], $params['filter'] == 'no-enum-groups', $params['ignore_acl'], empty($params['query']));
// supply so with private_grants, to not query them again from the database
if (!empty($params['query']))
{
$params['private_grants'] = array();
foreach($this->grants as $user => $rights)
{
if ($rights & EGW_ACL_PRIVATE) $params['private_grants'][] = $user;
}
}
// replace (by so not understood filter 'no-enum-groups' with 'default' filter
if ($params['filter'] == 'no-enum-groups')

10
calendar/inc/class.calendar_so.inc.php
View File

@ -404,10 +404,12 @@ class calendar_so
$where[] = '('.implode(' OR ',$to_or).')';
// Searching - restrict private to own or private grant
$private_grants = $GLOBALS['egw']->acl->get_ids_for_location($GLOBALS['egw_info']['user']['account_id'], EGW_ACL_PRIVATE, 'calendar');
$private_filter = '(cal_public=1 OR cal_owner = ' . $GLOBALS['egw_info']['user']['account_id'];
if($private_grants) $private_filter .= ' OR cal_public=0 AND cal_owner IN (' . implode(',',$private_grants) . ')';
$private_filter .= ')';
if (!isset($params['private_grants']))
{
$params['private_grants'] = $GLOBALS['egw']->acl->get_ids_for_location($GLOBALS['egw_info']['user']['account_id'], EGW_ACL_PRIVATE, 'calendar');
$params['private_grants'][] = $GLOBALS['egw_info']['user']['account_id']; // db query does NOT return current user
}
$private_filter = '(cal_public=1 OR cal_public=0 AND '.$this->db->expression($this->cal_table, array('cal_owner' => $params['private_grants'])) . ')';
$where[] = $private_filter;
}
if (!empty($params['sql_filter']) && is_string($params['sql_filter']))