* Calendar: no longer returning private events of other user while searching, as it can reveal private information

This commit is contained in:
Ralf Becker 2011-03-07 15:12:08 +00:00
parent b06cf300b1
commit f85ca66d2f
2 changed files with 9 additions and 5 deletions

View File

@ -473,16 +473,13 @@ class calendar_bo
}
if ($is_private || (!$event['public'] && $filter == 'hideprivate'))
{
if($params['query'] && !$this->check_perms(EGW_ACL_FREEBUSY,$event))
if($filter == 'hideprivate')
{
unset($events[$id]);
$this->total--;
continue;
}
else
{
$this->clear_private_infos($events[$id],$users);
}
$this->clear_private_infos($events[$id],$users);
}
}

View File

@ -342,6 +342,13 @@ class calendar_so
$to_or[] = $col.' '.$this->db->capabilities[egw_db::CAPABILITY_CASE_INSENSITIV_LIKE].' '.$this->db->quote('%'.$params['query'].'%');
}
$where[] = '('.implode(' OR ',$to_or).')';
// Searching - restrict private to own or private grant
$private_grants = $GLOBALS['egw']->acl->get_ids_for_location($GLOBALS['egw_info']['user']['account_id'], EGW_ACL_PRIVATE, 'calendar');
$private_filter = '(cal_public OR cal_owner = ' . $GLOBALS['egw_info']['user']['account_id'];
if($private_grants) $private_filter .= ' OR !cal_public AND cal_owner IN (' . implode(',',$private_grants) . ')';
$private_filter .= ')';
$where[] = $private_filter;
}
if (!empty($params['sql_filter']) && is_string($params['sql_filter']))
{