mirror of
https://github.com/EGroupware/egroupware.git
synced 2025-02-25 06:43:09 +01:00
Fix GroupDAV private event issue
This commit is contained in:
Jörg Lehrke
parent
015173f608
commit
362afdb312
@ -456,7 +456,7 @@ class calendar_bo
|
||||
}
|
||||
if ($is_private || (!$event['public'] && $filter == 'hideprivate'))
|
||||
{
|
||||
if($params['query'])
|
||||
if($params['query'] && !$this->check_perms(EGW_ACL_FREEBUSY,$event))
|
||||
{
|
||||
unset($events[$id]);
|
||||
$this->total--;
|
||||
@ -601,6 +601,11 @@ class calendar_bo
|
||||
'end' => $event['end'],
|
||||
'tzid' => $event['tzid'],
|
||||
'title' => lang('private'),
|
||||
'modified' => $event['modified'],
|
||||
'owner' => $event['owner'],
|
||||
'recur_type' => MCAL_RECUR_NONE,
|
||||
'etag' => $event['etag'],
|
||||
'max_user_modified' => $event['max_user_modified'],
|
||||
'participants' => array_intersect_key($event['participants'],array_flip($allowed_participants)),
|
||||
'public'=> 0,
|
||||
'category' => $event['category'], // category is visible anyway, eg. by using planner by cat
|
||||
@ -1078,6 +1083,7 @@ class calendar_bo
|
||||
{
|
||||
if ($uid == $this->user || $uid < 0 && in_array($this->user,$GLOBALS['egw']->accounts->members($uid,true)))
|
||||
{
|
||||
$grants |= EGW_ACL_FREEBUSY;
|
||||
// if we are a participant, we have an implicite READ and PRIVAT grant
|
||||
// exept the group gives its members only EGW_ACL_FREEBUSY and the participant is not the current user
|
||||
if ($this->grants[$uid] == EGW_ACL_FREEBUSY && $uid != $this->user) continue;
|
||||
@ -1108,7 +1114,8 @@ class calendar_bo
|
||||
}
|
||||
else
|
||||
{
|
||||
$access = $this->user == $owner || $grants & $needed && (!$private || $grants & EGW_ACL_PRIVATE);
|
||||
$access = $this->user == $owner || $grants & $needed
|
||||
&& ($needed == EGW_ACL_FREEBUSY || !$private || $grants & EGW_ACL_PRIVATE);
|
||||
}
|
||||
if ($this->debug && ($this->debug > 2 || $this->debug == 'check_perms'))
|
||||
{
|
||||
|
||||
@ -650,7 +650,13 @@ class calendar_groupdav extends groupdav_handler
|
||||
function read($id)
|
||||
{
|
||||
if ($this->debug > 1) error_log("bo-ical read :$id:");
|
||||
return $this->bo->read($id,null,false,'server');
|
||||
if (!$this->bo->check_perms(EGW_ACL_FREEBUSY, $id, 0, 'server')) return false;
|
||||
$event = $this->bo->read($id,null,true,'server');
|
||||
if (!$this->bo->check_perms(EGW_ACL_READ, $id, 0, 'server'))
|
||||
{
|
||||
$this->bo->clear_private_infos($event, array($this->bo->user, $event['owner']));
|
||||
}
|
||||
return $event;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -672,7 +678,14 @@ class calendar_groupdav extends groupdav_handler
|
||||
'num_rows' => 1,
|
||||
);
|
||||
|
||||
if ($path == '/calendar/') $filter['filter'] = 'owner';
|
||||
if ($path == '/calendar/')
|
||||
{
|
||||
$filter['filter'] = 'owner';
|
||||
}
|
||||
else
|
||||
{
|
||||
$filter['filter'] = 'default'; // not rejected
|
||||
}
|
||||
|
||||
$result =& $this->bo->search($filter);
|
||||
|
||||
@ -691,7 +704,8 @@ class calendar_groupdav extends groupdav_handler
|
||||
{
|
||||
if (!is_array($entry))
|
||||
{
|
||||
$entry = $this->read($entry);
|
||||
if (!$this->bo->check_perms(EGW_ACL_FREEBUSY, $entry, 0, 'server')) return false;
|
||||
$entry = $this->read($entry, null, true, 'server');
|
||||
}
|
||||
$etag = $entry['id'].':'.$entry['etag'];
|
||||
|
||||
@ -735,6 +749,11 @@ class calendar_groupdav extends groupdav_handler
|
||||
*/
|
||||
function check_access($acl,$event)
|
||||
{
|
||||
if ($acl == EGW_ACL_READ)
|
||||
{
|
||||
// we need at least EGW_ACL_FREEBUSY to get some information
|
||||
$acl = EGW_ACL_FREEBUSY;
|
||||
}
|
||||
return $this->bo->check_perms($acl,$event,0,'server');
|
||||
}
|
||||
|
||||
|
||||
@ -249,13 +249,20 @@ class calendar_ical extends calendar_boupdate
|
||||
{
|
||||
if ($this->read($event, $recurrence, true, 'server'))
|
||||
{
|
||||
if ($this->log)
|
||||
if ($this->bo->check_perms(EGW_ACL_FREEBUSY, $event, 0, 'server'))
|
||||
{
|
||||
error_log(__FILE__.'['.__LINE__.'] '.__METHOD__.
|
||||
'() User does not have the permission to read event ' . $event['id']. "\n",
|
||||
3,$this->logfile);
|
||||
$this->bo->clear_private_infos($event, array($this->user, $event['owner']));
|
||||
}
|
||||
else
|
||||
{
|
||||
if ($this->log)
|
||||
{
|
||||
error_log(__FILE__.'['.__LINE__.'] '.__METHOD__.
|
||||
'() User does not have the permission to read event ' . $event['id']. "\n",
|
||||
3,$this->logfile);
|
||||
}
|
||||
return -1; // Permission denied
|
||||
}
|
||||
return -1; // Permission denied
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user