extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-07 16:44:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

* InfoLog/*DAV: do NOT set current user for PUT in /infolog/ and do not allow to change owner of existing entries

Browse Source
This commit is contained in:
Ralf Becker 2010-10-26 09:21:52 +00:00
parent 46c7b013b8
commit 3dccac6ce4
2 changed files with 42 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
infolog/inc/class.infolog_groupdav.inc.php
View File

@ -337,9 +337,10 @@ class infolog_groupdav extends groupdav_handler
* @param array &$options * @param array &$options
* @param int $id * @param int $id
* @param int $user=null account_id of owner, default null * @param int $user=null account_id of owner, default null
* @param string $prefix=null user prefix from path (eg. /ralf from /ralf/addressbook)
* @return mixed boolean true on success, false on failure or string with http status (eg. '404 Not Found') * @return mixed boolean true on success, false on failure or string with http status (eg. '404 Not Found')
*/ */
function put(&$options,$id,$user=null) function put(&$options,$id,$user=null,$prefix=null)
{ {
if ($this->debug) error_log(__METHOD__."($id, $user)".print_r($options,true)); if ($this->debug) error_log(__METHOD__."($id, $user)".print_r($options,true));
@ -381,7 +382,29 @@ class infolog_groupdav extends groupdav_handler
$retval = '201 Created'; $retval = '201 Created';
} }
} }
if ($user)
{
if (!$prefix) // for everything in /infolog/
{
$user = null; // do NOT set current user (infolog_bo->write() set it for new entries anyway)
}
elseif($oldTask) // existing entries
{
if ($oldTask['info_owner'] != $user)
{
if ($this->debug) error_log(__METHOD__."(,$id,$user,$prefix) changing owner of existing entries is forbidden!");
return '403 Forbidden'; // changing owner of existing entries is generally forbidden
}
$user = null;
}
else // new entries in /$user/infolog
{
// ACL is checked in infolog_bo->write() called by infolog_ical->importVTODO().
// Not sure if it's a good idea to set a different owner, as GUI does NOT allow that,
// thought there's an ACL for it and backend (infolog_bo) checks it.
// More like the GUI would be to add it for current user and delegate it to $user.
}
}
if (!($infoId = $handler->importVTODO($vTodo, $taskId, false, $user))) if (!($infoId = $handler->importVTODO($vTodo, $taskId, false, $user)))
{ {
if ($this->debug) error_log(__METHOD__."(,$id) import_vtodo($options[content]) returned false"); if ($this->debug) error_log(__METHOD__."(,$id) import_vtodo($options[content]) returned false");
@ -512,7 +535,7 @@ class infolog_groupdav extends groupdav_handler
); );
$result =& $this->bo->search($query); $result =& $this->bo->search($query);
if (empty($result)) return 'EGw-0-wGE'; if (empty($result)) return 'EGw-0-wGE';
$entry = array_shift($result); $entry = array_shift($result);

32
infolog/inc/class.infolog_tracking.inc.php
View File

@ -261,24 +261,24 @@ class infolog_tracking extends bo_tracking
* *
* Overrides parent to log the modified date in the history, but not to send a notification * Overrides parent to log the modified date in the history, but not to send a notification
* *
* @param array $data current entry * @param array $data current entry
* @param array $old=null old/last state of the entry or null for a new entry * @param array $old=null old/last state of the entry or null for a new entry
* @param int $user=null user who made the changes, default to current user * @param int $user=null user who made the changes, default to current user
* @param boolean $deleted=null can be set to true to let the tracking know the item got deleted or undeleted * @param boolean $deleted=null can be set to true to let the tracking know the item got deleted or undeleted
* @param array $changed_fields=null changed fields from ealier call to $this->changed_fields($data,$old), to not compute it again * @param array $changed_fields=null changed fields from ealier call to $this->changed_fields($data,$old), to not compute it again
* @param boolean $skip_notification=false do NOT send any notification * @param boolean $skip_notification=false do NOT send any notification
* @return int|boolean false on error, integer number of changes logged or true for new entries ($old == null) * @return int|boolean false on error, integer number of changes logged or true for new entries ($old == null)
*/ */
public function track(array $data,array $old=null,$user=null,$deleted=null,array $changed_fields=null,$skip_notification=false) public function track(array $data,array $old=null,$user=null,$deleted=null,array $changed_fields=null,$skip_notification=false)
{ {
$this->user = !is_null($user) ? $user : $GLOBALS['egw_info']['user']['account_id']; $this->user = !is_null($user) ? $user : $GLOBALS['egw_info']['user']['account_id'];
$changes = true; $changes = true;
if ($old && $this->field2history) if ($old && $this->field2history)
{ {
$changes = $this->save_history($data,$old,$deleted,$changed_fields); $changes = $this->save_history($data,$old,$deleted,$changed_fields);
} }
// Don't notify if the only change was to the modified date // Don't notify if the only change was to the modified date
if(is_null($changed_fields)) if(is_null($changed_fields))