From 3ecb55ad7868bef769faafa7915287ab6849b991 Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Tue, 16 Aug 2011 10:21:22 +0000
Subject: [PATCH] * Calendar: not using freebusy rights for searching calendar,
 as it would allow to probe for event contents - optimised private event
 filter for searching to not query private grants (again) from database

---
 calendar/inc/class.calendar_bo.inc.php | 20 ++++++++++++++++----
 calendar/inc/class.calendar_so.inc.php | 10 ++++++----
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/calendar/inc/class.calendar_bo.inc.php b/calendar/inc/class.calendar_bo.inc.php
index bb1f10cfdc..1958142a2f 100644
--- a/calendar/inc/class.calendar_bo.inc.php
+++ b/calendar/inc/class.calendar_bo.inc.php
@@ -313,9 +313,10 @@ class calendar_bo
 	 * @param int|array $_users
 	 * @param boolean $no_enum_groups=true
 	 * @param boolean $ignore_acl=false
+	 * @param boolean $use_freebusy=true should freebusy rights are taken into account, default true, can be set to false eg. for a search
 	 * @return array of user-ids
 	 */
-	private function resolve_users($_users, $no_enum_groups=true, $ignore_acl=false)
+	private function resolve_users($_users, $no_enum_groups=true, $ignore_acl=false, $use_freebusy=true)
 	{
 		if (!is_array($_users))
 		{
@@ -326,7 +327,7 @@ class calendar_bo
 		foreach($_users as $user)
 		{
 			$user = trim($user);
-			if ($params['ignore_acl'] || $this->check_perms(EGW_ACL_READ|EGW_ACL_READ_FOR_PARTICIPANTS|EGW_ACL_FREEBUSY,0,$user))
+			if ($ignore_acl || $this->check_perms(EGW_ACL_READ|EGW_ACL_READ_FOR_PARTICIPANTS|($use_freebusy?EGW_ACL_FREEBUSY:0),0,$user))
 			{
 				if ($user && !in_array($user,$users))	// already added?
 				{
@@ -352,7 +353,7 @@ class calendar_bo
 					{
 						// use only members which gave the user a read-grant
 						if (!in_array($member['account_id'],$users) &&
-							($params['ignore_acl'] || $this->check_perms(EGW_ACL_READ|EGW_ACL_FREEBUSY,0,$member['account_id'])))
+							($params['ignore_acl'] || $this->check_perms(EGW_ACL_READ|($use_freebusy?EGW_ACL_FREEBUSY:0),0,$member['account_id'])))
 						{
 							$users[] = $member['account_id'];
 						}
@@ -428,7 +429,18 @@ class calendar_bo
 			$params['users'] = $params['query'] ? array_keys($this->grants) : $this->user;
 		}
 		// resolve users to add memberships for users and members for groups
-		$users = $this->resolve_users($params['users'], $params['filter'] == 'no-enum-groups', $params['ignore_acl']);
+		// for search, do NOT use freebusy rights, as it would allow to probe the content of event entries
+		$users = $this->resolve_users($params['users'], $params['filter'] == 'no-enum-groups', $params['ignore_acl'], empty($params['query']));
+
+		// supply so with private_grants, to not query them again from the database
+		if (!empty($params['query']))
+		{
+			$params['private_grants'] = array();
+			foreach($this->grants as $user => $rights)
+			{
+				if ($rights & EGW_ACL_PRIVATE) $params['private_grants'][] = $user;
+			}
+		}
 
 		// replace (by so not understood filter 'no-enum-groups' with 'default' filter
 		if ($params['filter'] == 'no-enum-groups')
diff --git a/calendar/inc/class.calendar_so.inc.php b/calendar/inc/class.calendar_so.inc.php
index d4c840f8b0..11390c0cf0 100644
--- a/calendar/inc/class.calendar_so.inc.php
+++ b/calendar/inc/class.calendar_so.inc.php
@@ -404,10 +404,12 @@ class calendar_so
 			$where[] = '('.implode(' OR ',$to_or).')';
 
 			// Searching - restrict private to own or private grant
-			$private_grants = $GLOBALS['egw']->acl->get_ids_for_location($GLOBALS['egw_info']['user']['account_id'], EGW_ACL_PRIVATE, 'calendar');
-			$private_filter = '(cal_public=1 OR cal_owner = ' . $GLOBALS['egw_info']['user']['account_id'];
-			if($private_grants) $private_filter .= ' OR cal_public=0 AND cal_owner IN (' . implode(',',$private_grants) . ')';
-			$private_filter .= ')';
+			if (!isset($params['private_grants']))
+			{
+				$params['private_grants'] = $GLOBALS['egw']->acl->get_ids_for_location($GLOBALS['egw_info']['user']['account_id'], EGW_ACL_PRIVATE, 'calendar');
+				$params['private_grants'][] = $GLOBALS['egw_info']['user']['account_id'];	// db query does NOT return current user
+			}
+			$private_filter = '(cal_public=1 OR cal_public=0 AND '.$this->db->expression($this->cal_table, array('cal_owner' => $params['private_grants'])) . ')';
 			$where[] = $private_filter;
 		}
 		if (!empty($params['sql_filter']) && is_string($params['sql_filter']))