From 5d14807720f0e0f6f80f26953553ec5c55215e7f Mon Sep 17 00:00:00 2001
From: Nathan Gray <nathangray.bsc@gmail.com>
Date: Mon, 2 May 2016 19:22:52 +0000
Subject: [PATCH] Planner sitemgr module - Check ACL and only offer users or
 resources anonymous user has access (read or free/busy) to - Stop some errors
 from missing framework breaking the timegrid - Fallback to be able to get
 resource labels in all cases

---
 calendar/inc/class.calendar_bo.inc.php        |  2 +-
 ...ss.calendar_owner_etemplate_widget.inc.php | 44 ++++++++++++++++---
 calendar/js/app.js                            |  4 +-
 calendar/js/et2_widget_planner.js             |  5 ++-
 calendar/js/et2_widget_view.js                |  6 +++
 .../class.module_calendar_month.inc.php       |  1 -
 .../class.module_calendar_planner.inc.php     | 23 +++++++---
 7 files changed, 68 insertions(+), 17 deletions(-)

diff --git a/calendar/inc/class.calendar_bo.inc.php b/calendar/inc/class.calendar_bo.inc.php
index 2cdf19071a..46e3a8eccf 100644
--- a/calendar/inc/class.calendar_bo.inc.php
+++ b/calendar/inc/class.calendar_bo.inc.php
@@ -262,7 +262,7 @@ class calendar_bo
 			);
 			Api\Cache::setSession('calendar', 'resources', $this->resources);
 		}
-		//echo "registered resources="; _debug_array($this->resources);
+		//error_log(__METHOD__ . " registered resources=". array2string($this->resources));
 
 		$this->config = Api\Config::read('calendar');	// only used for horizont, regular calendar Api\Config is under phpgwapi
 		$this->require_acl_invite = $GLOBALS['egw_info']['server']['require_acl_invite'];
diff --git a/calendar/inc/class.calendar_owner_etemplate_widget.inc.php b/calendar/inc/class.calendar_owner_etemplate_widget.inc.php
index f705e18504..a92199a104 100644
--- a/calendar/inc/class.calendar_owner_etemplate_widget.inc.php
+++ b/calendar/inc/class.calendar_owner_etemplate_widget.inc.php
@@ -77,16 +77,13 @@ class calendar_owner_etemplate_widget extends Etemplate\Widget\Taglist
 		// Add external owners that a select account widget will not find
 		foreach($value as &$owner)
 		{
-			// Make sure it's a string for comparison
-			$owner = ''.$owner;
+			$label = self::get_owner_label($owner);
 			if(!is_numeric($owner))
 			{
 				$resource = $bo->resources[substr($owner, 0,1)];
-				$label = Link::title($resource['app'], substr($owner,1));
 			}
 			else if (!in_array($owner, array_keys($accounts)))
 			{
-				$label = Link::title('api-accounts',$owner);
 				$resource = array('app'=> 'api-accounts');
 			}
 			else
@@ -126,9 +123,15 @@ class calendar_owner_etemplate_widget extends Etemplate\Widget\Taglist
 	 *
 	 * @return Array List of matching results
 	 */
-	public static function ajax_owner()
+	public static function ajax_owner($id = null)
 	{
-		$bo = new calendar_bo();
+		// Handle a request for a single ID
+		if($id)
+		{
+			$label = self::get_owner_label($id);
+			Api\Json\Response::get()->data($label);
+			return $label;
+		}
 
 		$query = $_REQUEST['query'];
 		// Arbitrarily limited to 50 / resource
@@ -190,4 +193,33 @@ class calendar_owner_etemplate_widget extends Etemplate\Widget\Taglist
 		echo json_encode($results);
 		exit();
 	}
+
+	/**
+	 * Get just the label for a single owner
+	 * @param string $id
+	 */
+	protected static function get_owner_label($id)
+	{
+		static $bo;
+		if(!$bo) $bo = new calendar_bo();
+
+		$id = ''.$id;
+		if(!is_numeric($id))
+		{
+			$resource = $bo->resources[substr($id, 0,1)];
+			$label = Link::title($resource['app'], substr($id,1));
+			
+			// Could not get via link, try via resources info
+			if($label === false)
+			{
+				$info = ExecMethod($resource['info'], substr($id,1));
+				$label = $info[0]['name'];
+			}
+		}
+		else
+		{
+			$label = Link::title('api-accounts',$id);
+		}
+		return $label;
+	}
 }
\ No newline at end of file
diff --git a/calendar/js/app.js b/calendar/js/app.js
index 908ba254c3..0268112bae 100644
--- a/calendar/js/app.js
+++ b/calendar/js/app.js
@@ -96,7 +96,7 @@ app.classes.calendar = (function(){ "use strict"; return AppJS.extend(
 			// Show loading div
 			egw.loading_prompt(
 				this.appname,true,egw.lang('please wait...'),
-				framework.applications.calendar.tab.contentDiv,
+				typeof framework !== 'undefined' ? framework.applications.calendar.tab.contentDiv : false,
 				egwIsMobile()?'horizental':'spinner'
 			);
 		}
@@ -2833,7 +2833,7 @@ app.classes.calendar = (function(){ "use strict"; return AppJS.extend(
 				}
 
 				// Hide AJAX loader
-				if(framework)
+				if(typeof framework !== 'undefined')
 				{
 					framework.applications.calendar.sidemenuEntry.hideAjaxLoader();
 				}
diff --git a/calendar/js/et2_widget_planner.js b/calendar/js/et2_widget_planner.js
index 4baf4d2138..63f1e9cbc0 100644
--- a/calendar/js/et2_widget_planner.js
+++ b/calendar/js/et2_widget_planner.js
@@ -349,9 +349,9 @@ var et2_calendar_planner = (function(){ "use strict"; return et2_calendar_view.e
 					}
 					else	// users
 					{
-						var label = this._get_owner_name(user)||'';
 						if(already_added.indexOf(user) < 0)
 						{
+							var label = this._get_owner_name(user)||'';
 							labels.push({id: user, label: label, data: {participants:user,owner:''}});
 							already_added.push(''+user);
 						}
@@ -1278,6 +1278,9 @@ var et2_calendar_planner = (function(){ "use strict"; return et2_calendar_view.e
 	 * @param {type} actionLinks
 	 */
 	_init_links_dnd: function(mgr,actionLinks) {
+
+		if (this.options.readonly) return;
+		
 		var self = this;
 
 		var drop_action = mgr.getActionById('egw_link_drop');
diff --git a/calendar/js/et2_widget_view.js b/calendar/js/et2_widget_view.js
index 7eb959466a..f04a46ad48 100644
--- a/calendar/js/et2_widget_view.js
+++ b/calendar/js/et2_widget_view.js
@@ -335,6 +335,12 @@ var et2_calendar_view = (function(){ "use strict"; return et2_valueWidget.extend
 				user = app.calendar.sidebox_et2.getWidgetById('owner').options.select_options.find(function(element) {return element.id == user;}) || {};
 				label = user.label;
 			}
+			else
+			{
+				// No sidebox?  Must be in home or sitemgr (no caching) - ask directly
+				label = '?';
+				egw.json('calendar_owner_etemplate_widget::ajax_owner',user,function(data) {label = data;}, this).sendRequest();
+			}
 		}
 		return label;
 	},
diff --git a/calendar/sitemgr/class.module_calendar_month.inc.php b/calendar/sitemgr/class.module_calendar_month.inc.php
index 2d6a735941..0df1ca33b7 100644
--- a/calendar/sitemgr/class.module_calendar_month.inc.php
+++ b/calendar/sitemgr/class.module_calendar_month.inc.php
@@ -306,7 +306,6 @@ class module_calendar_month extends Module
 			{
 				$GLOBALS['egw']->template = new Framework\Template;
 			}
-			$html .= $this->ui->timeGridWidget($this->ui->tagWholeDayOnTop($week),$weeks == 2 ? 30 : 60,200,'',$title,0,$week_start+WEEK_s >= $last);
 		}
 		// Initialize Tooltips
 		$html .= '<script language="JavaScript" type="text/javascript" src="'.$GLOBALS['egw_info']['server']['webserver_url'].'/phpgwapi/js/wz_tooltip/wz_tooltip.js"></script>'."\n";
diff --git a/calendar/sitemgr/class.module_calendar_planner.inc.php b/calendar/sitemgr/class.module_calendar_planner.inc.php
index da33ac1bf5..c448f0606a 100644
--- a/calendar/sitemgr/class.module_calendar_planner.inc.php
+++ b/calendar/sitemgr/class.module_calendar_planner.inc.php
@@ -113,6 +113,7 @@ class module_calendar_planner extends Module
 			'app' => 'calendar',
 		);
 		$accounts = $this->accounts->search($search_params);
+		$calendar_bo = new calendar_bo();
 		$users = array();
 		$groups = array();
 		// sort users and groups separately.
@@ -127,7 +128,7 @@ class module_calendar_planner extends Module
 			// get the rights for each account to check whether the anon user has read permissions.
 			$rights = $acl->get_rights($anon_user,'calendar');
 			// also add the anon user if it's his own calendar.
-			if (($rights & Acl::READ) || ($entry['account_id'] == $anon_user))
+			if ($calendar_bo->check_perms(Acl::READ|calendar_bo::ACL_READ_FOR_PARTICIPANTS|calendar_bo::ACL_FREEBUSY,0,$entry['account_id'],'ts',null,$anon_user) || ($entry['account_id'] == $anon_user))
 			{
 				$has_read_permissions = true;
 			}
@@ -171,12 +172,17 @@ class module_calendar_planner extends Module
 			$this->arguments['owner']['multiple'] = true;
 		}
 
-		$calendar_bo = new calendar_bo();
 		$query = '';
 		$options = array('start' => 0, 'num_rows' => 50);
+
+		$acl = new Acl($anon_user);
+		$acl->read_repository();
  		foreach ($calendar_bo->resources as $type => $data)
 		{
-			if ($type != '' && $data['app'] && Link::get_registry($data['app'], 'query'))
+			// Check anon user's permissions - must have at least run for the hook to be available
+			if($acl->check('run',EGW_ACL_READ, $data['app']) &&
+				$type != '' && $data['app'] && Link::get_registry($data['app'], 'query')
+			)
 			{
 				$_results = Link::query($data['app'], $query,$options);
 			}
@@ -184,11 +190,15 @@ class module_calendar_planner extends Module
 			$_results = array_unique($_results);
 			foreach ($_results as $key => $value)
 			{
-				$this->arguments['resources']['options'][$type.$key] = $value;
+				if($calendar_bo->check_perms(Acl::READ,0,$type.$key,'ts',null,$anon_user))
+				{
+					$this->arguments['resources']['options'][$type.$key] = $value;
+				}
 			}
 		}
 		$this->arguments['resources']['options'] = array_unique($this->arguments['resources']['options']);
 		$this->arguments['resources']['multiple'] = count($this->arguments['resources']['options']) ? 4 : 0;
+		
 
 		return parent::get_user_interface();
 	}
@@ -309,12 +319,13 @@ class module_calendar_planner extends Module
 			$tmpl->exec(__METHOD__, $content,array(), array('__ALL__' => true),array(),2);
 			$html .= ob_get_contents();
 			$html .= '<script>'
-			. '$j(function() {app.calendar.set_state(' . json_encode(array(
+			. '	window.egw_LAB.wait(function() {$j(function() {'
+			. 'app.calendar.set_state(' . json_encode(array(
 					'owner' => $search_params['owner'],
 					'sortby' => $ui->sortby,
 					'filter' => $arguments['filter']
 				)).');'
-			. '});'
+			. '});});'
 			. '</script>';
 		}
 		else