mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-25 01:13:25 +01:00
Fix issue where people invited to a private event were unable view the event
let alone view the event details. invitees are now allowed to view the event details as well as accept their invitation to the event. NB: - if an invitee has granted another user private access to the invitee's calendar, the user to which private access has been granted is UNABLE to view the details of the event. - if the person who created the event and marked the event private has granted another user access to that person's private events, then the person granted private access WILL be able to see the details of the event. - at most, uninvited third parties will only see that a private event is taking place at some time, but only if they have at least read access to the calendar of one of the people invited to the event. I hope this makes sense. I've tested this extensively to make sure I am not accidently granting access to private events that should be kept private.
This commit is contained in:
parent
73386c5d07
commit
d83ce9b3c5
@ -1458,6 +1458,7 @@
|
||||
function check_perms($needed,$event=0,$other=0)
|
||||
{
|
||||
$event_in = $event;
|
||||
|
||||
if (is_int($event) && $event == 0)
|
||||
{
|
||||
$owner = $other > 0 ? $other : $this->owner;
|
||||
@ -1479,19 +1480,20 @@
|
||||
$owner = $event['owner'];
|
||||
$private = $event['public'] == False || $event['public'] == 0;
|
||||
}
|
||||
|
||||
$user = $GLOBALS['phpgw_info']['user']['account_id'];
|
||||
|
||||
$grants = $this->grants[$owner];
|
||||
|
||||
if (is_array($event) && $needed == PHPGW_ACL_READ)
|
||||
{
|
||||
// Check if the $user is one of the participants or has a read-grant from one of them
|
||||
//
|
||||
/* grant read access if the $user is one of the participants. */
|
||||
if (isset($event['participants']) && is_array($event['participants']))
|
||||
{
|
||||
foreach($event['participants'] as $uid => $accept)
|
||||
{
|
||||
if ($this->grants[$uid] & PHPGW_ACL_READ || $uid == $user)
|
||||
{
|
||||
if ($uid == $user)
|
||||
{
|
||||
$grants |= PHPGW_ACL_READ;
|
||||
break;
|
||||
}
|
||||
@ -1501,12 +1503,13 @@
|
||||
|
||||
if ($GLOBALS['phpgw']->accounts->get_type($owner) == 'g' && $needed == PHPGW_ACL_ADD)
|
||||
{
|
||||
$access = False; // a group can't be the owner of an event
|
||||
$access = False; /* a group can't be the owner of an event. why not?! */
|
||||
}
|
||||
else
|
||||
{
|
||||
$access = $user == $owner || $grants & $needed && (!$private || $grants & PHPGW_ACL_PRIVATE);
|
||||
}
|
||||
|
||||
//echo "<p>".function_backtrace()." check_perms($needed,$event_id,$other) for user $user and needed_acl $needed: event='$event[title]': owner=$owner, private=$private, grants=$grants ==> access=$access</p>\n";
|
||||
|
||||
return $access;
|
||||
|
Loading…
Reference in New Issue
Block a user