mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-24 15:48:55 +01:00
* Calendar: no longer returning private events of other user while searching, as it can reveal private information
This commit is contained in:
parent
b06cf300b1
commit
f85ca66d2f
@ -473,16 +473,13 @@ class calendar_bo
|
|||||||
}
|
}
|
||||||
if ($is_private || (!$event['public'] && $filter == 'hideprivate'))
|
if ($is_private || (!$event['public'] && $filter == 'hideprivate'))
|
||||||
{
|
{
|
||||||
if($params['query'] && !$this->check_perms(EGW_ACL_FREEBUSY,$event))
|
if($filter == 'hideprivate')
|
||||||
{
|
{
|
||||||
unset($events[$id]);
|
unset($events[$id]);
|
||||||
$this->total--;
|
$this->total--;
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
else
|
$this->clear_private_infos($events[$id],$users);
|
||||||
{
|
|
||||||
$this->clear_private_infos($events[$id],$users);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -342,6 +342,13 @@ class calendar_so
|
|||||||
$to_or[] = $col.' '.$this->db->capabilities[egw_db::CAPABILITY_CASE_INSENSITIV_LIKE].' '.$this->db->quote('%'.$params['query'].'%');
|
$to_or[] = $col.' '.$this->db->capabilities[egw_db::CAPABILITY_CASE_INSENSITIV_LIKE].' '.$this->db->quote('%'.$params['query'].'%');
|
||||||
}
|
}
|
||||||
$where[] = '('.implode(' OR ',$to_or).')';
|
$where[] = '('.implode(' OR ',$to_or).')';
|
||||||
|
|
||||||
|
// Searching - restrict private to own or private grant
|
||||||
|
$private_grants = $GLOBALS['egw']->acl->get_ids_for_location($GLOBALS['egw_info']['user']['account_id'], EGW_ACL_PRIVATE, 'calendar');
|
||||||
|
$private_filter = '(cal_public OR cal_owner = ' . $GLOBALS['egw_info']['user']['account_id'];
|
||||||
|
if($private_grants) $private_filter .= ' OR !cal_public AND cal_owner IN (' . implode(',',$private_grants) . ')';
|
||||||
|
$private_filter .= ')';
|
||||||
|
$where[] = $private_filter;
|
||||||
}
|
}
|
||||||
if (!empty($params['sql_filter']) && is_string($params['sql_filter']))
|
if (!empty($params['sql_filter']) && is_string($params['sql_filter']))
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user