From 5b5a6bb625a5ef0b7c0a9673e50663f06040834a Mon Sep 17 00:00:00 2001
From: Nathan Gray <nathangray.bsc@gmail.com>
Date: Tue, 6 Dec 2011 23:30:48 +0000
Subject: [PATCH] Add check for add access if entry to be saved has no ID, and
 type has an owner - prevents inserting (importing) into restricted types

---
 infolog/inc/class.infolog_bo.inc.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/infolog/inc/class.infolog_bo.inc.php b/infolog/inc/class.infolog_bo.inc.php
index 03e2c2faac..78ae661d84 100644
--- a/infolog/inc/class.infolog_bo.inc.php
+++ b/infolog/inc/class.infolog_bo.inc.php
@@ -828,10 +828,17 @@ class infolog_bo
 		if (isset($this->group_owners[$values['info_type']]))
 		{
 			$values['info_owner'] = $this->group_owners[$values['info_type']];
-			if (!($this->grants[$this->group_owners[$values['info_type']]] & EGW_ACL_EDIT))
+			if ($values['info_id'] && !($this->grants[$this->group_owners[$values['info_type']]] & EGW_ACL_EDIT))
 			{
 				if (!$this->check_access($values['info_id'],EGW_ACL_EDIT)) return false;	// no edit rights from the group-owner and no implicit rights (delegated and sufficient rights)
 			}
+			else if (!$values['info_id'] && !($this->grants[$this->group_owners[$values['info_type']]] & EGW_ACL_ADD))
+			{
+				if (!$this->check_access($values,EGW_ACL_ADD))
+				{
+					return false;
+				}
+			}
 		}
 		elseif (!$values['info_id'] && !$values['info_owner'] || $GLOBALS['egw']->accounts->get_type($values['info_owner']) == 'g')
 		{