From 2240eb31051197c78c7f01001285b392f460bfaf Mon Sep 17 00:00:00 2001 From: Nathan Gray Date: Thu, 1 Oct 2015 14:53:40 +0000 Subject: [PATCH] * Fix ACL error allowing regular users to delete global categories --- admin/inc/class.admin_categories.inc.php | 26 +++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/admin/inc/class.admin_categories.inc.php b/admin/inc/class.admin_categories.inc.php index 7f6fb7c875..69a06f2a56 100644 --- a/admin/inc/class.admin_categories.inc.php +++ b/admin/inc/class.admin_categories.inc.php @@ -369,6 +369,19 @@ class admin_categories { $row['class'] .= ' rowNoEdit rowNoDelete '; } + else if (!$GLOBALS['egw_info']['user']['apps']['admin']) + { + if(!$cats->check_perms(EGW_ACL_EDIT, $row['id']) || !self::$acl_edit) + { + $row['class'] .= ' rowNoEdit'; + } + if(!$cats->check_perms(EGW_ACL_DELETE, $row['id']) || !self::$acl_delete || + // Only admins can delete globals + $cats->is_global($row['id']) && !$GLOBALS['egw_info']['user']['apps']['admin']) + { + $row['class'] .= ' rowNoDelete'; + } + } // Can only edit (via context menu) categories for the selected app (backend restriction) if($row['appname'] != $query['appname'] || (array_sum($row['owner']) > 0)) { @@ -661,11 +674,18 @@ class admin_categories switch($action) { case 'delete': + $action_msg = lang('deleted'); foreach($checked as $id) { - $cats->delete($id,$settings == 'sub',$settings != 'sub'); - $action_msg = lang('deleted'); - $success++; + if($cats->check_perms(EGW_ACL_DELETE, $id, (boolean)$GLOBALS['egw_info']['user']['apps']['admin'])) + { + $cats->delete($id,$settings == 'sub',$settings != 'sub'); + $success++; + } + else + { + $failed++; + } } break; case 'owner':