extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2025-02-18 03:11:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

fixed contactform so anonymous user can attach files (without giving him addressbook run rights and edit rights for the used addressbook)

Browse Source
This commit is contained in:
Ralf Becker 2010-06-30 09:56:06 +00:00
parent 47a7fc9337
commit 8b90b62273
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
addressbook/inc/class.addressbook_contactform.inc.php
View File

@ -5,7 +5,7 @@
* @link http://www.egroupware.org * @link http://www.egroupware.org
* @author Ralf Becker <RalfBecker-AT-outdoor-training.de> * @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
* @package addressbook * @package addressbook
* @copyright (c) 2007/8 by Ralf Becker <RalfBecker-AT-outdoor-training.de> * @copyright (c) 2007-10 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License * @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
* @version $Id$ * @version $Id$
*/ */
@ -60,7 +60,13 @@ class addressbook_contactform
{ {
if (is_array($value) && isset($value['tmp_name']) && is_readable($value['tmp_name'])) if (is_array($value) && isset($value['tmp_name']) && is_readable($value['tmp_name']))
{ {
// do no further permission check, as this would require_once
// the anonymous user to have run rights for addressbook AND
// edit rights for the addressbook used to store the new entry,
// which is clearly not wanted securitywise
egw_vfs::$is_root = true;
egw_link::link('addressbook',$id,egw_link::VFS_APPNAME,$value,$name); egw_link::link('addressbook',$id,egw_link::VFS_APPNAME,$value,$name);
egw_vfs::$is_root = false;
} }
} }