mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-25 16:18:57 +01:00
* Calendar: not using freebusy rights for searching calendar, as it would allow to probe for event contents
- optimised private event filter for searching to not query private grants (again) from database
This commit is contained in:
parent
60f991ec21
commit
3ecb55ad78
@ -313,9 +313,10 @@ class calendar_bo
|
||||
* @param int|array $_users
|
||||
* @param boolean $no_enum_groups=true
|
||||
* @param boolean $ignore_acl=false
|
||||
* @param boolean $use_freebusy=true should freebusy rights are taken into account, default true, can be set to false eg. for a search
|
||||
* @return array of user-ids
|
||||
*/
|
||||
private function resolve_users($_users, $no_enum_groups=true, $ignore_acl=false)
|
||||
private function resolve_users($_users, $no_enum_groups=true, $ignore_acl=false, $use_freebusy=true)
|
||||
{
|
||||
if (!is_array($_users))
|
||||
{
|
||||
@ -326,7 +327,7 @@ class calendar_bo
|
||||
foreach($_users as $user)
|
||||
{
|
||||
$user = trim($user);
|
||||
if ($params['ignore_acl'] || $this->check_perms(EGW_ACL_READ|EGW_ACL_READ_FOR_PARTICIPANTS|EGW_ACL_FREEBUSY,0,$user))
|
||||
if ($ignore_acl || $this->check_perms(EGW_ACL_READ|EGW_ACL_READ_FOR_PARTICIPANTS|($use_freebusy?EGW_ACL_FREEBUSY:0),0,$user))
|
||||
{
|
||||
if ($user && !in_array($user,$users)) // already added?
|
||||
{
|
||||
@ -352,7 +353,7 @@ class calendar_bo
|
||||
{
|
||||
// use only members which gave the user a read-grant
|
||||
if (!in_array($member['account_id'],$users) &&
|
||||
($params['ignore_acl'] || $this->check_perms(EGW_ACL_READ|EGW_ACL_FREEBUSY,0,$member['account_id'])))
|
||||
($params['ignore_acl'] || $this->check_perms(EGW_ACL_READ|($use_freebusy?EGW_ACL_FREEBUSY:0),0,$member['account_id'])))
|
||||
{
|
||||
$users[] = $member['account_id'];
|
||||
}
|
||||
@ -428,7 +429,18 @@ class calendar_bo
|
||||
$params['users'] = $params['query'] ? array_keys($this->grants) : $this->user;
|
||||
}
|
||||
// resolve users to add memberships for users and members for groups
|
||||
$users = $this->resolve_users($params['users'], $params['filter'] == 'no-enum-groups', $params['ignore_acl']);
|
||||
// for search, do NOT use freebusy rights, as it would allow to probe the content of event entries
|
||||
$users = $this->resolve_users($params['users'], $params['filter'] == 'no-enum-groups', $params['ignore_acl'], empty($params['query']));
|
||||
|
||||
// supply so with private_grants, to not query them again from the database
|
||||
if (!empty($params['query']))
|
||||
{
|
||||
$params['private_grants'] = array();
|
||||
foreach($this->grants as $user => $rights)
|
||||
{
|
||||
if ($rights & EGW_ACL_PRIVATE) $params['private_grants'][] = $user;
|
||||
}
|
||||
}
|
||||
|
||||
// replace (by so not understood filter 'no-enum-groups' with 'default' filter
|
||||
if ($params['filter'] == 'no-enum-groups')
|
||||
|
@ -404,10 +404,12 @@ class calendar_so
|
||||
$where[] = '('.implode(' OR ',$to_or).')';
|
||||
|
||||
// Searching - restrict private to own or private grant
|
||||
$private_grants = $GLOBALS['egw']->acl->get_ids_for_location($GLOBALS['egw_info']['user']['account_id'], EGW_ACL_PRIVATE, 'calendar');
|
||||
$private_filter = '(cal_public=1 OR cal_owner = ' . $GLOBALS['egw_info']['user']['account_id'];
|
||||
if($private_grants) $private_filter .= ' OR cal_public=0 AND cal_owner IN (' . implode(',',$private_grants) . ')';
|
||||
$private_filter .= ')';
|
||||
if (!isset($params['private_grants']))
|
||||
{
|
||||
$params['private_grants'] = $GLOBALS['egw']->acl->get_ids_for_location($GLOBALS['egw_info']['user']['account_id'], EGW_ACL_PRIVATE, 'calendar');
|
||||
$params['private_grants'][] = $GLOBALS['egw_info']['user']['account_id']; // db query does NOT return current user
|
||||
}
|
||||
$private_filter = '(cal_public=1 OR cal_public=0 AND '.$this->db->expression($this->cal_table, array('cal_owner' => $params['private_grants'])) . ')';
|
||||
$where[] = $private_filter;
|
||||
}
|
||||
if (!empty($params['sql_filter']) && is_string($params['sql_filter']))
|
||||
|
Loading…
Reference in New Issue
Block a user