extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-25 01:13:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

* CalDAV/OutlookSynchronizer: reject invitations when client deletes them without appropriate rights in his calendar

Browse Source
This commit is contained in:
Ralf Becker 2020-03-04 20:17:34 +01:00
parent 44d9fcc790
commit 476d4bd99d
2 changed files with 40 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
calendar/inc/class.calendar_bo.inc.php
View File

@ -1338,7 +1338,7 @@ class calendar_bo
elseif ($grants[$uid] & Acl::READ)
{
// if we have a READ grant from a participant, we dont give an implicit privat grant too
$grant |= Acl::READ;
$grant |= self::ACL_FREEBUSY | Acl::READ;
// we cant break here, as we might be a participant too, and would miss the privat grant
}
elseif (!is_numeric($uid))

57
calendar/inc/class.calendar_groupdav.inc.php
View File

@ -1375,35 +1375,56 @@ class calendar_groupdav extends Api\CalDAV\Handler
return true; // simply ignore DELETE in inbox for now
}
$return_no_access = true; // to allow to check if current use is a participant and reject the event for him
if (!is_array($event = $this->_common_get_put_delete('DELETE',$options,$id,$return_no_access)) || !$return_no_access ||
// Work around problems with Outlook CalDAV Synchroniser (https://caldavsynchronizer.org/)
// - sends a DELETE to reject a meeting request --> deletes event for all participants, if user has delete rights on the calendar
// --> only set status for everyone else but the organizer
self::get_agent() == 'caldavsynchronizer' && is_array($event) && $event['owner'] != $user)
$event = $this->_common_get_put_delete('DELETE',$options,$id,$return_no_access);
// no event found --> 404 Not Found
if (!is_array($event))
{
if (is_array($event) && (!$return_no_access || $event['owner'] != $user))
$ret = $event;
error_log("_common_get_put_delete('DELETE', ..., $id) user=$user, return_no_access=".array2string($return_no_access)." returned ".array2string($event));
}
// Work around problems with Outlook CalDAV Synchronizer (https://caldavsynchronizer.org/)
// - sends a DELETE to reject a meeting request --> deletes event for all participants, if user has delete rights from the organizer
// --> only set status for everyone else but the organizer
// OR no delete rights and deleting an event in someone else calendar --> check if calendar owner is a participant --> reject him
elseif ((!$return_no_access || (self::get_agent() === 'caldavsynchronizer' && $event['owner'] != $user)) &&
// check if current user has edit rights for calendar of $user, can change status / reject invitation for him
$this->bo->check_perms(Acl::EDIT, 0, $user))
{
// check if user is a participant or one of the groups he is a member of --> reject the meeting request
$ret = '403 Forbidden';
$memberships = $GLOBALS['egw']->accounts->memberships($user, true);
foreach(array_keys($event['participants']) as $uid)
{
// check if user is a participant or one of the groups he is a member of --> reject the meeting request
$ret = '403 Forbidden';
$memberships = $GLOBALS['egw']->accounts->memberships($this->bo->user, true);
foreach(array_keys($event['participants']) as $uid)
if ($user == $uid || in_array($uid, $memberships))
{
if ($this->bo->user == $uid || in_array($uid, $memberships))
{
$this->bo->set_status($event,$this->bo->user, 'R');
$ret = true;
break;
}
$this->bo->set_status($event, $user, 'R');
$ret = true;
break;
}
}
else
}
// current user has no delete rights for event --> reject invitation, if he is a participant
elseif (!$return_no_access)
{
// check if current user is a participant or one of the groups he is a member of --> reject the meeting request
$ret = '403 Forbidden';
$memberships = $GLOBALS['egw']->accounts->memberships($this->bo->user, true);
foreach(array_keys($event['participants']) as $uid)
{
$ret = $event;
if ($this->bo->user == $uid || in_array($uid, $memberships))
{
$this->bo->set_status($event, $this->bo->user, 'R');
$ret = true;
break;
}
}
}
// we have delete rights on the event and (try to) delete it
else
{
$ret = $this->bo->delete($event['id']);
if (!$ret) { error_log("delete($event[id]) returned FALSE"); $ret = '400 Failed to delete event';}
}
if ($this->debug) error_log(__METHOD__."(,$id) return_no_access=$return_no_access, event[participants]=".array2string(is_array($event)?$event['participants']:null).", user={$this->bo->user} --> return ".array2string($ret));
return $ret;