extern/egroupware
1
0
Fork 1
mirror of https://github.com/EGroupware/egroupware.git synced 2025-06-19 17:38:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

fixed bug: GroupDAV/CardDAV PUT request to /addressbook/ changes owner, also checking now required ACL for moving contacts between addressbooks

Browse Source
This commit is contained in:
Ralf Becker 2010-10-20 15:47:30 +00:00
parent 4e65bde081
commit e86f5fb663
2 changed files with 18 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
addressbook/inc/class.addressbook_groupdav.inc.php
View File

@ -299,9 +299,10 @@ class addressbook_groupdav extends groupdav_handler
* @param array &$options * @param array &$options
* @param int $id * @param int $id
* @param int $user=null account_id of owner, default null * @param int $user=null account_id of owner, default null
* @param string $prefix=null user prefix from path (eg. /ralf from /ralf/addressbook)
* @return mixed boolean true on success, false on failure or string with http status (eg. '404 Not Found') * @return mixed boolean true on success, false on failure or string with http status (eg. '404 Not Found')
*/ */
function put(&$options,$id,$user=null) function put(&$options,$id,$user=null,$prefix=null)
{ {
if ($this->debug) error_log(__METHOD__.'('.array2string($options).",$id,$user)"); if ($this->debug) error_log(__METHOD__.'('.array2string($options).",$id,$user)");
@ -383,12 +384,21 @@ class addressbook_groupdav extends groupdav_handler
$contact['id'] = $oldContact['id']; $contact['id'] = $oldContact['id'];
// dont allow the client to overwrite certain values // dont allow the client to overwrite certain values
$contact['uid'] = $oldContact['uid']; $contact['uid'] = $oldContact['uid'];
//$contact['owner'] = $oldContact['owner']; $contact['owner'] = $oldContact['owner'];
$contact['private'] = $oldContact['private']; $contact['private'] = $oldContact['private'];
} }
// only set owner, if user is explicitly specified in URL (check via prefix, NOT for /addressbook/ !)
$contact['owner'] = $user; if ($prefix)
{
// check for modified owners, if user has an add right for the new addressbook and
// delete rights for the old addressbook (_common_get_put_delete checks for PUT only EGW_ACL_EDIT)
if ($oldContact && $user != $oldContact['owner'] && !($this->bo->grants[$user] & EGW_ACL_ADD) &&
(!$this->bo->grants[$oldContact['owner']] & EGW_ACL_DELETE))
{
return '403 Forbidden';
}
$contact['owner'] = $user;
}
if ($this->http_if_match) $contact['etag'] = self::etag2value($this->http_if_match); if ($this->http_if_match) $contact['etag'] = self::etag2value($this->http_if_match);
if (!($save_ok = $this->bo->save($contact))) if (!($save_ok = $this->bo->save($contact)))

6
phpgwapi/inc/class.groupdav.inc.php
View File

@ -732,13 +732,13 @@ class groupdav extends HTTP_WebDAV_Server
if ($this->debug) error_log(__METHOD__.'('.array2string($options).')'); if ($this->debug) error_log(__METHOD__.'('.array2string($options).')');
if (!$this->_parse_path($options['path'],$id,$app,$user)) if (!$this->_parse_path($options['path'],$id,$app,$user,$prefix))
{ {
return '404 Not Found'; return '404 Not Found';
} }
if (($handler = self::app_handler($app))) if (($handler = self::app_handler($app)))
{ {
$status = $handler->put($options,$id,$user); $status = $handler->put($options,$id,$user,$prefix);
// set default stati: true --> 204 No Content, false --> should be already handled // set default stati: true --> 204 No Content, false --> should be already handled
if (is_bool($status)) $status = $status ? '204 No Content' : '400 Something went wrong'; if (is_bool($status)) $status = $status ? '204 No Content' : '400 Something went wrong';
return $status; return $status;
@ -946,7 +946,7 @@ class groupdav extends HTTP_WebDAV_Server
list($id) = explode('.',$id); // remove evtl. .ics extension list($id) = explode('.',$id); // remove evtl. .ics extension
} }
$ok = $id && $user && in_array($app,array('addressbook','calendar','infolog','principals','groups')); $ok = $id && $user && in_array($app,array('addressbook','calendar','infolog','principals'));
if ($this->debug) if ($this->debug)
{ {
error_log(__METHOD__."('$path') returning " . ($ok ? 'true' : 'false') . ": id='$id', app='$app', user='$user', user_prefix='$user_prefix'"); error_log(__METHOD__."('$path') returning " . ($ok ? 'true' : 'false') . ": id='$id', app='$app', user='$user', user_prefix='$user_prefix'");