mirror of
https://github.com/EGroupware/egroupware.git
synced 2025-01-13 17:38:28 +01:00
* Calendar: not using freebusy rights for searching calendar, as it would allow to probe for event contents
- optimised private event filter for searching to not query private grants (again) from database
This commit is contained in:
parent
60f991ec21
commit
3ecb55ad78
@ -313,9 +313,10 @@ class calendar_bo
|
|||||||
* @param int|array $_users
|
* @param int|array $_users
|
||||||
* @param boolean $no_enum_groups=true
|
* @param boolean $no_enum_groups=true
|
||||||
* @param boolean $ignore_acl=false
|
* @param boolean $ignore_acl=false
|
||||||
|
* @param boolean $use_freebusy=true should freebusy rights are taken into account, default true, can be set to false eg. for a search
|
||||||
* @return array of user-ids
|
* @return array of user-ids
|
||||||
*/
|
*/
|
||||||
private function resolve_users($_users, $no_enum_groups=true, $ignore_acl=false)
|
private function resolve_users($_users, $no_enum_groups=true, $ignore_acl=false, $use_freebusy=true)
|
||||||
{
|
{
|
||||||
if (!is_array($_users))
|
if (!is_array($_users))
|
||||||
{
|
{
|
||||||
@ -326,7 +327,7 @@ class calendar_bo
|
|||||||
foreach($_users as $user)
|
foreach($_users as $user)
|
||||||
{
|
{
|
||||||
$user = trim($user);
|
$user = trim($user);
|
||||||
if ($params['ignore_acl'] || $this->check_perms(EGW_ACL_READ|EGW_ACL_READ_FOR_PARTICIPANTS|EGW_ACL_FREEBUSY,0,$user))
|
if ($ignore_acl || $this->check_perms(EGW_ACL_READ|EGW_ACL_READ_FOR_PARTICIPANTS|($use_freebusy?EGW_ACL_FREEBUSY:0),0,$user))
|
||||||
{
|
{
|
||||||
if ($user && !in_array($user,$users)) // already added?
|
if ($user && !in_array($user,$users)) // already added?
|
||||||
{
|
{
|
||||||
@ -352,7 +353,7 @@ class calendar_bo
|
|||||||
{
|
{
|
||||||
// use only members which gave the user a read-grant
|
// use only members which gave the user a read-grant
|
||||||
if (!in_array($member['account_id'],$users) &&
|
if (!in_array($member['account_id'],$users) &&
|
||||||
($params['ignore_acl'] || $this->check_perms(EGW_ACL_READ|EGW_ACL_FREEBUSY,0,$member['account_id'])))
|
($params['ignore_acl'] || $this->check_perms(EGW_ACL_READ|($use_freebusy?EGW_ACL_FREEBUSY:0),0,$member['account_id'])))
|
||||||
{
|
{
|
||||||
$users[] = $member['account_id'];
|
$users[] = $member['account_id'];
|
||||||
}
|
}
|
||||||
@ -428,7 +429,18 @@ class calendar_bo
|
|||||||
$params['users'] = $params['query'] ? array_keys($this->grants) : $this->user;
|
$params['users'] = $params['query'] ? array_keys($this->grants) : $this->user;
|
||||||
}
|
}
|
||||||
// resolve users to add memberships for users and members for groups
|
// resolve users to add memberships for users and members for groups
|
||||||
$users = $this->resolve_users($params['users'], $params['filter'] == 'no-enum-groups', $params['ignore_acl']);
|
// for search, do NOT use freebusy rights, as it would allow to probe the content of event entries
|
||||||
|
$users = $this->resolve_users($params['users'], $params['filter'] == 'no-enum-groups', $params['ignore_acl'], empty($params['query']));
|
||||||
|
|
||||||
|
// supply so with private_grants, to not query them again from the database
|
||||||
|
if (!empty($params['query']))
|
||||||
|
{
|
||||||
|
$params['private_grants'] = array();
|
||||||
|
foreach($this->grants as $user => $rights)
|
||||||
|
{
|
||||||
|
if ($rights & EGW_ACL_PRIVATE) $params['private_grants'][] = $user;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// replace (by so not understood filter 'no-enum-groups' with 'default' filter
|
// replace (by so not understood filter 'no-enum-groups' with 'default' filter
|
||||||
if ($params['filter'] == 'no-enum-groups')
|
if ($params['filter'] == 'no-enum-groups')
|
||||||
|
@ -404,10 +404,12 @@ class calendar_so
|
|||||||
$where[] = '('.implode(' OR ',$to_or).')';
|
$where[] = '('.implode(' OR ',$to_or).')';
|
||||||
|
|
||||||
// Searching - restrict private to own or private grant
|
// Searching - restrict private to own or private grant
|
||||||
$private_grants = $GLOBALS['egw']->acl->get_ids_for_location($GLOBALS['egw_info']['user']['account_id'], EGW_ACL_PRIVATE, 'calendar');
|
if (!isset($params['private_grants']))
|
||||||
$private_filter = '(cal_public=1 OR cal_owner = ' . $GLOBALS['egw_info']['user']['account_id'];
|
{
|
||||||
if($private_grants) $private_filter .= ' OR cal_public=0 AND cal_owner IN (' . implode(',',$private_grants) . ')';
|
$params['private_grants'] = $GLOBALS['egw']->acl->get_ids_for_location($GLOBALS['egw_info']['user']['account_id'], EGW_ACL_PRIVATE, 'calendar');
|
||||||
$private_filter .= ')';
|
$params['private_grants'][] = $GLOBALS['egw_info']['user']['account_id']; // db query does NOT return current user
|
||||||
|
}
|
||||||
|
$private_filter = '(cal_public=1 OR cal_public=0 AND '.$this->db->expression($this->cal_table, array('cal_owner' => $params['private_grants'])) . ')';
|
||||||
$where[] = $private_filter;
|
$where[] = $private_filter;
|
||||||
}
|
}
|
||||||
if (!empty($params['sql_filter']) && is_string($params['sql_filter']))
|
if (!empty($params['sql_filter']) && is_string($params['sql_filter']))
|
||||||
|
Loading…
Reference in New Issue
Block a user