holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add check for add access if entry to be saved has no ID, and type has an owner - prevents inserting (importing) into restricted types

Browse Source
This commit is contained in:
Nathan Gray 2011-12-06 23:30:48 +00:00
parent f7b8997be3
commit 5b5a6bb625
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
infolog/inc/class.infolog_bo.inc.php
View File

@ -828,10 +828,17 @@ class infolog_bo
if (isset($this->group_owners[$values['info_type']]))
{
$values['info_owner'] = $this->group_owners[$values['info_type']];
if (!($this->grants[$this->group_owners[$values['info_type']]] & EGW_ACL_EDIT))
if ($values['info_id'] && !($this->grants[$this->group_owners[$values['info_type']]] & EGW_ACL_EDIT))
{
if (!$this->check_access($values['info_id'],EGW_ACL_EDIT)) return false; // no edit rights from the group-owner and no implicit rights (delegated and sufficient rights)
}
else if (!$values['info_id'] && !($this->grants[$this->group_owners[$values['info_type']]] & EGW_ACL_ADD))
{
if (!$this->check_access($values,EGW_ACL_ADD))
{
return false;
}
}
}
elseif (!$values['info_id'] && !$values['info_owner'] || $GLOBALS['egw']->accounts->get_type($values['info_owner']) == 'g')
{