extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2025-01-27 00:09:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

* Calendar: no longer returning private events of other user while searching, as it can reveal private information

Browse Source
This commit is contained in:
Ralf Becker 2011-03-07 15:12:56 +00:00
parent 864b62ef96
commit de45c0a645
2 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
calendar/inc/class.calendar_bo.inc.php
View File

@ -459,16 +459,13 @@ class calendar_bo
}
if (!$this->check_perms(EGW_ACL_READ,$event) || (!$event['public'] && $filter == 'hideprivate'))
{
if($params['query'])
if($filter == 'hideprivate')
{
unset($events[$id]);
$this->total--;
continue;
}
else
{
$this->clear_private_infos($events[$id],$users);
}
$this->clear_private_infos($events[$id],$users);
}
}

7
calendar/inc/class.calendar_so.inc.php
View File

@ -337,6 +337,13 @@ class calendar_so
$to_or[] = $col.' '.$this->db->capabilities[egw_db::CAPABILITY_CASE_INSENSITIV_LIKE].' '.$this->db->quote('%'.$query.'%');
}
$where[] = '('.implode(' OR ',$to_or).')';
// Searching - restrict private to own or private grant
$private_grants = $GLOBALS['egw']->acl->get_ids_for_location($GLOBALS['egw_info']['user']['account_id'], EGW_ACL_PRIVATE, 'calendar');
$private_filter = '(cal_public OR cal_owner = ' . $GLOBALS['egw_info']['user']['account_id'];
if($private_grants) $private_filter .= ' OR !cal_public AND cal_owner IN (' . implode(',',$private_grants) . ')';
$private_filter .= ')';
$where[] = $private_filter;
}
if (!empty($sql_filter) && is_string($sql_filter))
{