* CardDAV: fixed wrong privileges for accounts addressbook, causing clients to report it read-only even for admins

This commit is contained in:
Ralf Becker 2013-01-22 08:39:42 +00:00
parent b76d0b44fc
commit 637bc916af
4 changed files with 33 additions and 6 deletions

View File

@ -964,6 +964,18 @@ disabled for epl-11.1
return $this->bo->check_perms($acl,$contact);
}
/**
* Get grants of current user and app
*
* Reimplemented to account for static LDAP ACL and accounts (owner=0)
*
* @return array user-id => EGW_ACL_ADD|EGW_ACL_READ|EGW_ACL_EDIT|EGW_ACL_DELETE pairs
*/
public function get_grants()
{
return $this->bo->get_grants($this->bo->user);
}
/**
* Return calendars/addressbooks shared from other users with the current one
*

View File

@ -354,11 +354,15 @@ class addressbook_so
// therefor the param false!
$grants = $GLOBALS['egw']->acl->get_grants($contact_app,false,$user);
}
// grants for accounts: everyone read, admins edit, no-one add or delete (only via admin app!)
$grants[0] = EGW_ACL_READ;
if ($this->is_admin()) $grants[0] |= EGW_ACL_EDIT;
}
else
{
$grants = array();
}
//error_log(__METHOD__."($user, '$contact_app') returning ".array2string($grants));
return $grants;
}

View File

@ -912,7 +912,7 @@ class groupdav extends HTTP_WebDAV_Server
$props['sync-token'] = $handler->get_sync_token($path,$user);
}
}
if ($handler && $user)
if ($handler && !is_null($user))
{
return $this->add_collection($path, $props, $handler->current_user_privileges($path, $user));
}

View File

@ -416,6 +416,16 @@ abstract class groupdav_handler
return $agent;
}
/**
* Get grants of current user and app
*
* @return array user-id => EGW_ACL_ADD|EGW_ACL_READ|EGW_ACL_EDIT|EGW_ACL_DELETE pairs
*/
public function get_grants()
{
return $this->acl->get_grants($this->app, $this->app != 'addressbook');
}
/**
* Return priviledges for current user, default is read and read-current-user-privilege-set
*
@ -430,30 +440,31 @@ abstract class groupdav_handler
static $grants;
if (is_null($grants))
{
$grants = $this->acl->get_grants($this->app, $this->app != 'addressbook');
$grants = $this->get_grants();
}
$priviledes = array('read-current-user-privilege-set' => 'read-current-user-privilege-set');
if (!$user || $grants[$user] & EGW_ACL_READ)
if (is_null($user) || $grants[$user] & EGW_ACL_READ)
{
$priviledes['read'] = 'read';
// allows on all calendars/addressbooks to write properties, as we store them on a per-user basis
// and only allow to modify explicit named properties in CalDAV, CardDAV or Calendarserver name-space
$priviledes['write-properties'] = 'write-properties';
}
if (!$user || $grants[$user] & EGW_ACL_ADD)
if (is_null($user) || $grants[$user] & EGW_ACL_ADD)
{
$priviledes['bind'] = 'bind'; // PUT for new resources
}
if (!$user || $grants[$user] & EGW_ACL_EDIT)
if (is_null($user) || $grants[$user] & EGW_ACL_EDIT)
{
$priviledes['write-content'] = 'write-content'; // otherwise iOS calendar does not allow to add events
}
if (!$user || $grants[$user] & EGW_ACL_DELETE)
if (is_null($user) || $grants[$user] & EGW_ACL_DELETE)
{
$priviledes['unbind'] = 'unbind'; // DELETE
}
// copy/move of existing resources might require write-properties, thought we do not support an explicit PROPATCH
//error_log(__METHOD__."('$path', ".array2string($user).') returning '.array2string($priviledes).' '.function_backtrace());
return $priviledes;
}