mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-23 23:29:31 +01:00
* Calendar: no longer returning private events of other user while searching, as it can reveal private information
This commit is contained in:
parent
b06cf300b1
commit
f85ca66d2f
@ -473,16 +473,13 @@ class calendar_bo
|
||||
}
|
||||
if ($is_private || (!$event['public'] && $filter == 'hideprivate'))
|
||||
{
|
||||
if($params['query'] && !$this->check_perms(EGW_ACL_FREEBUSY,$event))
|
||||
if($filter == 'hideprivate')
|
||||
{
|
||||
unset($events[$id]);
|
||||
$this->total--;
|
||||
continue;
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->clear_private_infos($events[$id],$users);
|
||||
}
|
||||
$this->clear_private_infos($events[$id],$users);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -342,6 +342,13 @@ class calendar_so
|
||||
$to_or[] = $col.' '.$this->db->capabilities[egw_db::CAPABILITY_CASE_INSENSITIV_LIKE].' '.$this->db->quote('%'.$params['query'].'%');
|
||||
}
|
||||
$where[] = '('.implode(' OR ',$to_or).')';
|
||||
|
||||
// Searching - restrict private to own or private grant
|
||||
$private_grants = $GLOBALS['egw']->acl->get_ids_for_location($GLOBALS['egw_info']['user']['account_id'], EGW_ACL_PRIVATE, 'calendar');
|
||||
$private_filter = '(cal_public OR cal_owner = ' . $GLOBALS['egw_info']['user']['account_id'];
|
||||
if($private_grants) $private_filter .= ' OR !cal_public AND cal_owner IN (' . implode(',',$private_grants) . ')';
|
||||
$private_filter .= ')';
|
||||
$where[] = $private_filter;
|
||||
}
|
||||
if (!empty($params['sql_filter']) && is_string($params['sql_filter']))
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user