* Calendar: no longer returning private events of other user while searching, as it can reveal private information

This commit is contained in:
Ralf Becker 2011-03-07 15:12:08 +00:00
parent b06cf300b1
commit f85ca66d2f
2 changed files with 9 additions and 5 deletions

View File

@ -473,16 +473,13 @@ class calendar_bo
} }
if ($is_private || (!$event['public'] && $filter == 'hideprivate')) if ($is_private || (!$event['public'] && $filter == 'hideprivate'))
{ {
if($params['query'] && !$this->check_perms(EGW_ACL_FREEBUSY,$event)) if($filter == 'hideprivate')
{ {
unset($events[$id]); unset($events[$id]);
$this->total--; $this->total--;
continue; continue;
} }
else $this->clear_private_infos($events[$id],$users);
{
$this->clear_private_infos($events[$id],$users);
}
} }
} }

View File

@ -342,6 +342,13 @@ class calendar_so
$to_or[] = $col.' '.$this->db->capabilities[egw_db::CAPABILITY_CASE_INSENSITIV_LIKE].' '.$this->db->quote('%'.$params['query'].'%'); $to_or[] = $col.' '.$this->db->capabilities[egw_db::CAPABILITY_CASE_INSENSITIV_LIKE].' '.$this->db->quote('%'.$params['query'].'%');
} }
$where[] = '('.implode(' OR ',$to_or).')'; $where[] = '('.implode(' OR ',$to_or).')';
// Searching - restrict private to own or private grant
$private_grants = $GLOBALS['egw']->acl->get_ids_for_location($GLOBALS['egw_info']['user']['account_id'], EGW_ACL_PRIVATE, 'calendar');
$private_filter = '(cal_public OR cal_owner = ' . $GLOBALS['egw_info']['user']['account_id'];
if($private_grants) $private_filter .= ' OR !cal_public AND cal_owner IN (' . implode(',',$private_grants) . ')';
$private_filter .= ')';
$where[] = $private_filter;
} }
if (!empty($params['sql_filter']) && is_string($params['sql_filter'])) if (!empty($params['sql_filter']) && is_string($params['sql_filter']))
{ {