Fix issue where people invited to a private event were unable view the event

let alone view the event details. invitees are now allowed to view the event
details as well as accept their invitation to the event.

NB:

- if an invitee has granted another user private access to the invitee's calendar, the user
to which private access has been granted is UNABLE to view the details of the event.

- if the person who created the event and marked the event private has granted another user
access to that person's private events, then the person granted private access WILL be able
to see the details of the event.

- at most, uninvited third parties will only see that a private event is taking place at some
time, but only if they have at least read access to the calendar of one of the people invited
to the event.

I hope this makes sense. I've tested this extensively to make sure I am not accidently granting
access to private events that should be kept private.
This commit is contained in:
mgalgoci 2004-09-02 21:37:25 +00:00
parent 73386c5d07
commit d83ce9b3c5

View File

@ -1458,6 +1458,7 @@
function check_perms($needed,$event=0,$other=0) function check_perms($needed,$event=0,$other=0)
{ {
$event_in = $event; $event_in = $event;
if (is_int($event) && $event == 0) if (is_int($event) && $event == 0)
{ {
$owner = $other > 0 ? $other : $this->owner; $owner = $other > 0 ? $other : $this->owner;
@ -1479,19 +1480,20 @@
$owner = $event['owner']; $owner = $event['owner'];
$private = $event['public'] == False || $event['public'] == 0; $private = $event['public'] == False || $event['public'] == 0;
} }
$user = $GLOBALS['phpgw_info']['user']['account_id']; $user = $GLOBALS['phpgw_info']['user']['account_id'];
$grants = $this->grants[$owner]; $grants = $this->grants[$owner];
if (is_array($event) && $needed == PHPGW_ACL_READ) if (is_array($event) && $needed == PHPGW_ACL_READ)
{ {
// Check if the $user is one of the participants or has a read-grant from one of them /* grant read access if the $user is one of the participants. */
//
if (isset($event['participants']) && is_array($event['participants'])) if (isset($event['participants']) && is_array($event['participants']))
{ {
foreach($event['participants'] as $uid => $accept) foreach($event['participants'] as $uid => $accept)
{ {
if ($this->grants[$uid] & PHPGW_ACL_READ || $uid == $user) if ($uid == $user)
{ {
$grants |= PHPGW_ACL_READ; $grants |= PHPGW_ACL_READ;
break; break;
} }
@ -1501,12 +1503,13 @@
if ($GLOBALS['phpgw']->accounts->get_type($owner) == 'g' && $needed == PHPGW_ACL_ADD) if ($GLOBALS['phpgw']->accounts->get_type($owner) == 'g' && $needed == PHPGW_ACL_ADD)
{ {
$access = False; // a group can't be the owner of an event $access = False; /* a group can't be the owner of an event. why not?! */
} }
else else
{ {
$access = $user == $owner || $grants & $needed && (!$private || $grants & PHPGW_ACL_PRIVATE); $access = $user == $owner || $grants & $needed && (!$private || $grants & PHPGW_ACL_PRIVATE);
} }
//echo "<p>".function_backtrace()." check_perms($needed,$event_id,$other) for user $user and needed_acl $needed: event='$event[title]': owner=$owner, private=$private, grants=$grants ==> access=$access</p>\n"; //echo "<p>".function_backtrace()." check_perms($needed,$event_id,$other) for user $user and needed_acl $needed: event='$event[title]': owner=$owner, private=$private, grants=$grants ==> access=$access</p>\n";
return $access; return $access;