From 3dccac6ce428cf46ef7666261052bdefa8fe897b Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Tue, 26 Oct 2010 09:21:52 +0000
Subject: [PATCH] * InfoLog/*DAV: do NOT set current user for PUT in /infolog/
 and do not allow to change owner of existing entries

---
 infolog/inc/class.infolog_groupdav.inc.php | 29 ++++++++++++++++++--
 infolog/inc/class.infolog_tracking.inc.php | 32 +++++++++++-----------
 2 files changed, 42 insertions(+), 19 deletions(-)

diff --git a/infolog/inc/class.infolog_groupdav.inc.php b/infolog/inc/class.infolog_groupdav.inc.php
index 8a2cea13b9..51509c4356 100644
--- a/infolog/inc/class.infolog_groupdav.inc.php
+++ b/infolog/inc/class.infolog_groupdav.inc.php
@@ -337,9 +337,10 @@ class infolog_groupdav extends groupdav_handler
 	 * @param array &$options
 	 * @param int $id
 	 * @param int $user=null account_id of owner, default null
+	 * @param string $prefix=null user prefix from path (eg. /ralf from /ralf/addressbook)
 	 * @return mixed boolean true on success, false on failure or string with http status (eg. '404 Not Found')
 	 */
-	function put(&$options,$id,$user=null)
+	function put(&$options,$id,$user=null,$prefix=null)
 	{
 		if ($this->debug) error_log(__METHOD__."($id, $user)".print_r($options,true));
 
@@ -381,7 +382,29 @@ class infolog_groupdav extends groupdav_handler
 				$retval = '201 Created';
 			}
 		}
-
+		if ($user)
+		{
+			if (!$prefix)		// for everything in /infolog/
+			{
+				$user = null;	// do NOT set current user (infolog_bo->write() set it for new entries anyway)
+			}
+			elseif($oldTask)	// existing entries
+			{
+				if ($oldTask['info_owner'] != $user)
+				{
+					if ($this->debug) error_log(__METHOD__."(,$id,$user,$prefix) changing owner of existing entries is forbidden!");
+					return '403 Forbidden';		// changing owner of existing entries is generally forbidden
+				}
+				$user = null;
+			}
+			else	// new entries in /$user/infolog
+			{
+				// ACL is checked in infolog_bo->write() called by infolog_ical->importVTODO().
+				// Not sure if it's a good idea to set a different owner, as GUI does NOT allow that,
+				// thought there's an ACL for it and backend (infolog_bo) checks it.
+				// More like the GUI would be to add it for current user and delegate it to $user.
+			}
+		}
 		if (!($infoId = $handler->importVTODO($vTodo, $taskId, false, $user)))
 		{
 			if ($this->debug) error_log(__METHOD__."(,$id) import_vtodo($options[content]) returned false");
@@ -512,7 +535,7 @@ class infolog_groupdav extends groupdav_handler
 		);
 
 		$result =& $this->bo->search($query);
-		
+
 		if (empty($result)) return 'EGw-0-wGE';
 
 		$entry = array_shift($result);
diff --git a/infolog/inc/class.infolog_tracking.inc.php b/infolog/inc/class.infolog_tracking.inc.php
index 12c5b8a7c1..34c28120ef 100644
--- a/infolog/inc/class.infolog_tracking.inc.php
+++ b/infolog/inc/class.infolog_tracking.inc.php
@@ -261,24 +261,24 @@ class infolog_tracking extends bo_tracking
 	 *
 	 * Overrides parent to log the modified date in the history, but not to send a notification
 	 *
-         * @param array $data current entry
-         * @param array $old=null old/last state of the entry or null for a new entry
-         * @param int $user=null user who made the changes, default to current user
-         * @param boolean $deleted=null can be set to true to let the tracking know the item got deleted or undeleted
-         * @param array $changed_fields=null changed fields from ealier call to $this->changed_fields($data,$old), to not compute it again
-         * @param boolean $skip_notification=false do NOT send any notification
-         * @return int|boolean false on error, integer number of changes logged or true for new entries ($old == null)
-         */
-        public function track(array $data,array $old=null,$user=null,$deleted=null,array $changed_fields=null,$skip_notification=false)
-        {
-                $this->user = !is_null($user) ? $user : $GLOBALS['egw_info']['user']['account_id'];
+	 * @param array $data current entry
+	 * @param array $old=null old/last state of the entry or null for a new entry
+	 * @param int $user=null user who made the changes, default to current user
+	 * @param boolean $deleted=null can be set to true to let the tracking know the item got deleted or undeleted
+	 * @param array $changed_fields=null changed fields from ealier call to $this->changed_fields($data,$old), to not compute it again
+	 * @param boolean $skip_notification=false do NOT send any notification
+	 * @return int|boolean false on error, integer number of changes logged or true for new entries ($old == null)
+	 */
+	public function track(array $data,array $old=null,$user=null,$deleted=null,array $changed_fields=null,$skip_notification=false)
+	{
+		$this->user = !is_null($user) ? $user : $GLOBALS['egw_info']['user']['account_id'];
 
-                $changes = true;
+		$changes = true;
 
-                if ($old && $this->field2history)
-                {
-                        $changes = $this->save_history($data,$old,$deleted,$changed_fields);
-                }
+		if ($old && $this->field2history)
+		{
+			$changes = $this->save_history($data,$old,$deleted,$changed_fields);
+		}
 
 		// Don't notify if the only change was to the modified date
 		if(is_null($changed_fields))