holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix Security Holes

Browse Source 
Another prohibited users can view availability of another users
 (and reconstruct calendar for a user, in final)
Now, Users can view _only_ availability of users when owner has a good
 rights (minimal: read)
This commit is contained in:
bgigon 2004-09-28 15:57:29 +00:00
parent 3bd4118e3e
commit 7e31271830
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
calendar/inc/class.uicalendar.inc.php
View File

@ -3023,6 +3023,10 @@
$overlap .= '<ul>'; $overlap .= '<ul>';
foreach($overlapped_event['participants'] as $id => $status) foreach($overlapped_event['participants'] as $id => $status)
{ {
// Check if user can view others participants
if($GLOBALS["phpgw"]->acl->get_rights($id, "calendar") < PHPGW_ACL_READ)
continue;
$conflict = isset($event['participants'][$id]); $conflict = isset($event['participants'][$id]);
$overlap .= '<li>'.($conflict?'<b>':''). $overlap .= '<li>'.($conflict?'<b>':'').
$GLOBALS['phpgw']->common->grab_owner_name($id). $GLOBALS['phpgw']->common->grab_owner_name($id).