extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-08 00:54:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix issue where people invited to a private event were unable view the event

Browse Source 
let alone view the event details. invitees are now allowed to view the event
details as well as accept their invitation to the event.

NB:

- if an invitee has granted another user private access to the invitee's calendar, the user
to which private access has been granted is UNABLE to view the details of the event.

- if the person who created the event and marked the event private has granted another user
access to that person's private events, then the person granted private access WILL be able
to see the details of the event.

- at most, uninvited third parties will only see that a private event is taking place at some
time, but only if they have at least read access to the calendar of one of the people invited
to the event.

I hope this makes sense. I've tested this extensively to make sure I am not accidently granting
access to private events that should be kept private.
This commit is contained in:
mgalgoci 2004-09-02 21:28:30 +00:00
parent e235423ed9
commit 75f04ec834
1 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
calendar/inc/class.bocalendar.inc.php
View File

@ -1465,6 +1465,7 @@
function check_perms($needed,$event=0,$other=0)
{
$event_in = $event;
if (is_int($event) && $event == 0)
{
$owner = $other > 0 ? $other : $this->owner;
@ -1486,19 +1487,20 @@
$owner = $event['owner'];
$private = $event['public'] == False || $event['public'] == 0;
}
$user = $GLOBALS['phpgw_info']['user']['account_id'];
$grants = $this->grants[$owner];
if (is_array($event) && $needed == PHPGW_ACL_READ)
{
// Check if the $user is one of the participants or has a read-grant from one of them
//
/* grant read access if the $user is one of the participants. */
if (isset($event['participants']) && is_array($event['participants']))
{
foreach($event['participants'] as $uid => $accept)
{
if ($this->grants[$uid] & PHPGW_ACL_READ || $uid == $user)
{
if ($uid == $user)
{
$grants |= PHPGW_ACL_READ;
break;
}
@ -1508,12 +1510,13 @@
if ($GLOBALS['phpgw']->accounts->get_type($owner) == 'g' && $needed == PHPGW_ACL_ADD)
{
$access = False; // a group can't be the owner of an event
$access = False; /* a group can't be the owner of an event. why not?! */
}
else
{
$access = $user == $owner || $grants & $needed && (!$private || $grants & PHPGW_ACL_PRIVATE);
}
//echo "<p>".function_backtrace()." check_perms($needed,$event_id,$other) for user $user and needed_acl $needed: event='$event[title]': owner=$owner, private=$private, grants=$grants ==> access=$access</p>\n";
return $access;