From 9d9bd270a27fe4d926cfc7dfeb2ed553aa6e4dd9 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Sun, 9 Nov 2008 16:10:36 +0000 Subject: [PATCH] "- fix for bug #1817: file in a searchable directory was always readable - changed chgrp and chmod, to allow admins to modify files/dirs owned by root" --- phpgwapi/inc/class.sqlfs_stream_wrapper.inc.php | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/phpgwapi/inc/class.sqlfs_stream_wrapper.inc.php b/phpgwapi/inc/class.sqlfs_stream_wrapper.inc.php index 68a6152534..4f87d8d57f 100644 --- a/phpgwapi/inc/class.sqlfs_stream_wrapper.inc.php +++ b/phpgwapi/inc/class.sqlfs_stream_wrapper.inc.php @@ -227,13 +227,15 @@ class sqlfs_stream_wrapper implements iface_stream_wrapper } else { - if ($mode != 'r' && !egw_vfs::check_access($url,egw_vfs::WRITABLE,$stat)) // we are not allowed to edit it + if ($mode == 'r' && !egw_vfs::check_access($url,egw_vfs::READABLE ,$stat) ||// we are not allowed to read + $mode != 'r' && !egw_vfs::check_access($url,egw_vfs::WRITABLE,$stat)) // or edit it { self::_remove_password($url); - if (self::LOG_LEVEL) error_log(__METHOD__."($url,$mode,$options) file can not be edited!"); + $op = $mode == 'r' ? 'read' : 'edited'; + if (self::LOG_LEVEL) error_log(__METHOD__."($url,$mode,$options) file can not be $op!"); if (!($options & STREAM_URL_STAT_QUIET)) { - trigger_error(__METHOD__."($url,$mode,$options) file can not be edited!",E_USER_WARNING); + trigger_error(__METHOD__."($url,$mode,$options) file can not be $op!",E_USER_WARNING); } $this->opened_stream = $this->opened_path = $this->opened_mode = null; return false; @@ -790,7 +792,7 @@ class sqlfs_stream_wrapper implements iface_stream_wrapper trigger_error("No such file or directory $url !",E_USER_WARNING); return false; } - if (!egw_vfs::$is_root && $stat['uid'] != egw_vfs::$user) + if (!egw_vfs::has_owner_rights($path,$stat)) { if (self::LOG_LEVEL) error_log(__METHOD__."($url,$owner) only owner or root can do that!"); trigger_error("Only owner or root can do that!",E_USER_WARNING); @@ -831,7 +833,7 @@ class sqlfs_stream_wrapper implements iface_stream_wrapper trigger_error("No such file or directory $url !",E_USER_WARNING); return false; } - if (!egw_vfs::$is_root && $stat['uid'] != egw_vfs::$user) + if (!egw_vfs::has_owner_rights($path,$stat)) { if (self::LOG_LEVEL) error_log(__METHOD__."($url,$owner) only owner or root can do that!"); trigger_error("Only owner or root can do that!",E_USER_WARNING);