From d6bc8af79adb711f6cef57dc9bc4ced50d6569d0 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Sun, 12 May 2002 21:11:34 +0000 Subject: [PATCH] - corrected lots of ACL problems with a new function bo->rb_check_prevs(PHPGW_ACL_xyz,$cal_id_or_event) - edit is not longer forgetting the participant status --- infolog/calendar/inc/class.bocalendar.inc.php | 74 ++++++++++++----- .../calendar/inc/class.socalendar_sql.inc.php | 2 +- infolog/calendar/inc/class.uicalendar.inc.php | 82 +++++++++++-------- 3 files changed, 102 insertions(+), 56 deletions(-) diff --git a/infolog/calendar/inc/class.bocalendar.inc.php b/infolog/calendar/inc/class.bocalendar.inc.php index 1e67bf1634..1586cf2671 100755 --- a/infolog/calendar/inc/class.bocalendar.inc.php +++ b/infolog/calendar/inc/class.bocalendar.inc.php @@ -383,9 +383,10 @@ function read_entry($id) { - if($this->check_perms(PHPGW_ACL_READ)) + if($this->rb_check_perms(PHPGW_ACL_READ,$id)) { $event = $this->so->read_entry($id); + if(!isset($event['participants'][$this->owner]) && $this->user_is_a_member($event,$this->owner)) { $this->so->add_attribute('participants','U',intval($this->owner)); @@ -399,12 +400,12 @@ function delete_single($param) { - if($this->check_perms(PHPGW_ACL_DELETE)) + if($this->rb_check_perms(PHPGW_ACL_DELETE,intval($param['id']))) { $temp_event = $this->get_cached_event(); $event = $this->read_entry(intval($param['id'])); - if($this->owner == $event['owner']) - { + //RB if($this->owner == $event['owner']) + //RB { $exception_time = mktime($event['start']['hour'],$event['start']['min'],0,$param['month'],$param['day'],$param['year']) - $this->datetime->tz_offset; $event['recur_exception'][] = intval($exception_time); $this->so->cal->event = $event; @@ -419,7 +420,7 @@ else { $cd = 60; - } + //RB } } $this->so->cal->event = $temp_event; unset($temp_event); @@ -428,25 +429,26 @@ function delete_entry($id) { - if($this->check_perms(PHPGW_ACL_DELETE)) + if($this->rb_check_perms(PHPGW_ACL_DELETE,$id)) { $temp_event = $this->read_entry($id); - if($this->owner == $temp_event['owner']) - { + //RB if($this->owner == $temp_event['owner']) + //RB { $this->so->delete_entry($id); $cd = 16; } else { $cd = 60; - } + //RB } } return $cd; } function reinstate($params='') { - if($this->check_perms(PHPGW_ACL_EDIT) && isset($params['cal_id']) && isset($params['reinstate_index'])) + //RB if($this->check_perms(PHPGW_ACL_EDIT) && isset($params['cal_id']) && isset($params['reinstate_index'])) + if($this->rb_check_perms(PHPGW_ACL_EDIT,$params['cal_id']) && isset($params['reinstate_index'])) { $event = $this->so->read_entry($params['cal_id']); @reset($params['reinstate_index']); @@ -511,7 +513,7 @@ function expunge() { - if($this->check_perms(PHPGW_ACL_DELETE)) + if($this->rb_check_perms(PHPGW_ACL_DELETE)) { reset($this->so->cal->deleted_events); for($i=0;$iso->cal->deleted_events);$i++) @@ -573,7 +575,7 @@ } else { - if((!$l_cal['id'] && !$this->check_perms(PHPGW_ACL_ADD)) || ($l_cal['id'] && !$this->check_perms(PHPGW_ACL_EDIT))) + if((!$l_cal['id'] && !$this->rb_check_perms(PHPGW_ACL_ADD)) || ($l_cal['id'] && !$this->rb_check_perms(PHPGW_ACL_EDIT,$l_cal['id']))) { ExecMethod('calendar.uicalendar.index'); $GLOBALS['phpgw']->common->phpgw_exit(); @@ -656,14 +658,18 @@ $part = Array(); for($i=0;$i 0) + { + $accept_type = 'U'; + } $acct_type = $GLOBALS['phpgw']->accounts->get_type(intval($parts[$i])); if($acct_type == 'u') { - $part[$parts[$i]] = 1; + $part[intval($parts[$i])] = $accept_type; } elseif($acct_type == 'g') { - $part[$parts[$i]] = 1; + $part[intval($parts[$i])] = $accept_type; $groups[] = $parts[$i]; /* This pulls ALL users of a group and makes them as participants to the event */ /* I would like to turn this back into a group thing. */ @@ -676,7 +682,7 @@ } while($member = each($members)) { - $part[$member[1]['account_id']] = 1; + $part[$member[1]['account_id']] = $accept_type; } } } @@ -689,9 +695,9 @@ if($part) { @reset($part); - while(list($key,$value) = each($part)) + while(list($key,$accept_type) = each($part)) { - $this->so->add_attribute('participants','U',intval($key)); + $this->so->add_attribute('participants',$accept_type,intval($key)); } } @@ -851,10 +857,40 @@ return mktime($time['hour'],$time['min'],$time['sec'],$time['month'],$time['mday'],$time['year']); } + function rb_check_perms($needed,$event=0) + { + if (is_int($event) && $event == 0) + { + $owner = $this->owner; + } + else + { + if (!is_array($event)) + { + $event = $this->so->read_entry((int) $event); + } + if (!is_array($event)) + { + return False; + } + $owner = $event['owner']; + $privat = $event['public'] == False || $event['public'] == 0; + } + $user = $GLOBALS['phpgw_info']['user']['account_id']; + $grants = $this->grants[$owner]; + + $access = $user == $owner || $grants & $needed && (!$privat || $grants & PHPGW_ACL_PRIVAT); + //echo "

rb_check_perms for user $user and needed_acl $needed: event=$event[title]: owner=$owner, privat=$privat, grants=$grants ==> access=$access

\n"; + + return $access; + } + function can_user_edit($event) { + return $this->rb_check_perms(PHPGW_ACL_EDIT,$event); + $can_edit = False; - + if(($event['owner'] == $this->owner) && ($this->check_perms(PHPGW_ACL_EDIT) == True)) { if($event['public'] == False || $event['public'] == 0) @@ -1197,7 +1233,7 @@ return $status; } - function is_private($event,$owner) + function is_private($event,$owner) //RB_NEED_WORK { if($owner == 0) { diff --git a/infolog/calendar/inc/class.socalendar_sql.inc.php b/infolog/calendar/inc/class.socalendar_sql.inc.php index 081590973b..03a51a37ef 100644 --- a/infolog/calendar/inc/class.socalendar_sql.inc.php +++ b/infolog/calendar/inc/class.socalendar_sql.inc.php @@ -495,7 +495,7 @@ class socalendar_ extends socalendar__ @reset($event['participants']); while (list($key,$value) = @each($event['participants'])) { - if(intval($key) == intval($this->user)) + if(intval($key) == $event['owner']/*RB intval($this->user)*/) { $value = 'A'; } diff --git a/infolog/calendar/inc/class.uicalendar.inc.php b/infolog/calendar/inc/class.uicalendar.inc.php index 80ac07de2b..6ed6d84c63 100755 --- a/infolog/calendar/inc/class.uicalendar.inc.php +++ b/infolog/calendar/inc/class.uicalendar.inc.php @@ -627,7 +627,8 @@ $GLOBALS['phpgw']->common->phpgw_exit(True); } - if(!$this->bo->check_perms(PHPGW_ACL_READ)) + //RB if(!$this->bo->check_perms(PHPGW_ACL_READ)) + if(!$this->bo->rb_check_perms(PHPGW_ACL_READ,$cal_id)) { echo lang('You do not have permission to read this record!').''."\n"; $GLOBALS['phpgw']->common->phpgw_exit(True); @@ -677,9 +678,11 @@ ) ); - if($this->bo->owner == $event['owner'] || $this->bo->member_of_group($this->bo->owner)) - { - if ($this->bo->check_perms(PHPGW_ACL_EDIT,$event['owner'])) + //RB: this is handled by the acl + //RB if($this->bo->owner == $event['owner'] || $this->bo->member_of_group($this->bo->owner)) + //RB { + //RB if ($this->bo->rb_check_perms(PHPGW_ACL_EDIT,$event['owner'])) + if ($this->bo->rb_check_perms(PHPGW_ACL_EDIT,$event)) { if($event['recur_type'] != MCAL_RECUR_NONE) { @@ -724,7 +727,8 @@ echo $p->fp('out','form_button'); } - if ($this->bo->check_perms(PHPGW_ACL_DELETE,$event['owner'])) + //RB if ($this->bo->check_perms(PHPGW_ACL_DELETE,$event['owner'])) + if ($this->bo->rb_check_perms(PHPGW_ACL_DELETE,$event)) { if($event['recur_type'] != MCAL_RECUR_NONE) { @@ -770,7 +774,7 @@ echo $p->fp('out','form_button'); } } - } + //RB} $var = Array( 'action_url_button' => $this->page('export'), @@ -786,7 +790,7 @@ function edit($params='') { - if(!$this->bo->check_perms(PHPGW_ACL_EDIT)) + if(!$this->bo->check_perms(PHPGW_ACL_EDIT))//RB_NEED_WORK { $this->no_edit(); } @@ -912,11 +916,11 @@ function reinstate_list($params='') { - if(!$this->bo->check_perms(PHPGW_ACL_EDIT)) + if(!$this->bo->check_perms(PHPGW_ACL_EDIT))//RB_NEED_WORK { $this->no_edit(); } - elseif(!$this->bo->check_perms(PHPGW_ACL_ADD)) + elseif(!$this->bo->check_perms(PHPGW_ACL_ADD))//RB_NEED_WORK { $this->index(); } @@ -936,7 +940,7 @@ $GLOBALS['phpgw']->common->phpgw_exit(True); } - if(!$this->bo->check_perms(PHPGW_ACL_READ)) + if(!$this->bo->check_perms(PHPGW_ACL_READ))//RB_NEED_WORK { echo lang('You do not have permission to read this record!').''."\n"; $GLOBALS['phpgw']->common->phpgw_exit(True); @@ -999,11 +1003,11 @@ function reinstate($params='') { - if(!$this->bo->check_perms(PHPGW_ACL_EDIT)) + if(!$this->bo->check_perms(PHPGW_ACL_EDIT))//RB_NEED_WORK { $this->no_edit(); } - elseif(!$this->bo->check_perms(PHPGW_ACL_ADD)) + elseif(!$this->bo->check_perms(PHPGW_ACL_ADD))//RB_NEED_WORK { $this->index(); } @@ -1032,7 +1036,7 @@ function add($cd=0,$readsess=0) { - if(!$this->bo->check_perms(PHPGW_ACL_ADD)) + if(!$this->bo->rb_check_perms(PHPGW_ACL_ADD)) { $this->index(); } @@ -1092,7 +1096,8 @@ $date = sprintf("%04d%02d%02d",$this->bo->year,$this->bo->month,$this->bo->day); $event = $this->bo->read_entry(intval($GLOBALS['HTTP_GET_VARS']['cal_id'])); - if(($GLOBALS['HTTP_GET_VARS']['cal_id'] > 0) && ($event['owner'] == $this->bo->owner) && $this->bo->check_perms(PHPGW_ACL_DELETE)) + //if(($GLOBALS['HTTP_GET_VARS']['cal_id'] > 0) && ($event['owner'] == $this->bo->owner) && $this->bo->check_perms(PHPGW_ACL_DELETE)) + if ($this->bo->rb_check_perms(PHPGW_ACL_DELETE,$event)) { if(isset($GLOBALS['HTTP_POST_VARS']['delete_type']) && $GLOBALS['HTTP_POST_VARS']['delete_type'] == 'single') @@ -1205,7 +1210,7 @@ return; } - if(!$this->bo->check_perms(PHPGW_ACL_EDIT)) + if(!$this->bo->rb_check_perms(PHPGW_ACL_EDIT)) { $this->no_edit(); return; @@ -1229,7 +1234,7 @@ function set_action() { - if(!$this->bo->check_perms(PHPGW_ACL_EDIT)) + if(!$this->bo->rb_check_perms(PHPGW_ACL_EDIT)) { $this->no_edit(); return; @@ -1539,7 +1544,7 @@ @reset($users); while ($user = each($users)) { - if(($GLOBALS['phpgw']->accounts->exists($user[0]) && $this->bo->check_perms(PHPGW_ACL_READ,$user[0])) || $GLOBALS['phpgw']->accounts->get_type($user[0]) == 'g') + if(($GLOBALS['phpgw']->accounts->exists($user[0]) && $this->bo->check_perms(PHPGW_ACL_READ,$user[0])) || $GLOBALS['phpgw']->accounts->get_type($user[0]) == 'g')//RB_NEED_WORK { $str .= ' '."\n"; } @@ -1581,14 +1586,14 @@ $members = $acct->member(intval($participants[$i])); while($members != False && list($index,$member) = each($members)) { - if($this->bo->check_perms(PHPGW_ACL_READ,$member['account_id']) && !isset($parts[$member['account_id']])) + if($this->bo->check_perms(PHPGW_ACL_READ,$member['account_id']) && !isset($parts[$member['account_id']]))//RB_NEED_WORK { $parts[$member['account_id']] = 1; } } break; case 'u': - if($this->bo->check_perms(PHPGW_ACL_READ,$participants[$i]) && !isset($parts[$participants[$i]])) + if($this->bo->check_perms(PHPGW_ACL_READ,$participants[$i]) && !isset($parts[$participants[$i]]))//RB_NEED_WORK { $parts[$participants[$i]] = 1; } @@ -1723,7 +1728,7 @@ $p->set_block('search_form','search_list_header','search_list_header'); $p->set_block('search_form','search_list','search_list'); $p->set_block('search_form','search_list_footer','search_list_footer'); - + $var = Array( 'color' => $this->theme['bg_text'], 'search_text' => lang('Search Results'), @@ -1813,7 +1818,7 @@ function header() { $cols = 8; - if($this->bo->check_perms(PHPGW_ACL_PRIVATE) == True) + if($this->bo->check_perms(PHPGW_ACL_PRIVATE) == True)//RB_NEED_WORK { $cols++; } @@ -1967,7 +1972,7 @@ function no_edit() { - if(!$isset($GLOBALS['phpgw_info']['flags']['noheader'])) + if(isset($GLOBALS['phpgw_info']['flags']['noheader'])) { unset($GLOBALS['phpgw_info']['flags']['noheader']); unset($GLOBALS['phpgw_info']['flags']['nonavbar']); @@ -1982,8 +1987,11 @@ function link_to_entry($event,$month,$day,$year) { $str = ''; - $is_private = $this->bo->is_private($event,$event['owner']); - $editable = ((!$this->bo->printer_friendly) && (($is_private && $this->bo->check_perms(PHPGW_ACL_PRIVATE)) || !$is_private)); + //RB $is_private = $this->bo->is_private($event,$event['owner']); + //RB $editable = ((!$this->bo->printer_friendly) && (($is_private && $this->bo->check_perms(PHPGW_ACL_PRIVATE)) || !$is_private)); + //RB editable means here, ok to set a link to view + $editable = !$this->bo->printer_friendly && $this->bo->rb_check_perms(PHPGW_ACL_READ,$event); + $is_private = !$event['public'] && !$this->bo->rb_check_perms(PHPGW_ACL_READ,$event); $p = CreateObject('phpgwapi.Template',$this->template_dir); $p->set_unknowns('remove'); $p->set_file( @@ -2581,7 +2589,8 @@ function view_event($event,$alarms=False) { - if((!$event['participants'][$this->bo->owner] && !$this->bo->member_of_group()) || (!$event['public'] && !$this->bo->check_perms(PHPGW_ACL_PRIVATE))) + //RB if((!$event['participants'][$this->bo->owner] && !$this->bo->member_of_group()) || (!$event['public'] && !$this->bo->check_perms(PHPGW_ACL_PRIVATE))) + if((!$event['participants'][$this->bo->owner] && !$this->bo->rb_check_perms(PHPGW_ACL_READ,$event))) { return '
'.lang('You do not have permission to read this record!').'
'; } @@ -2706,7 +2715,7 @@ { if($GLOBALS['phpgw']->accounts->exists($user)) { - $str .= ($str?'
':'').$GLOBALS['phpgw']->common->grab_owner_name($user).' ('.($this->bo->check_perms(PHPGW_ACL_EDIT,$user)?''.$this->bo->get_long_status($short_status).'':$this->bo->get_long_status($short_status)).')'."\n"; + $str .= ($str?'
':'').$GLOBALS['phpgw']->common->grab_owner_name($user).' ('.($this->bo->check_perms(PHPGW_ACL_EDIT,$user)?''.$this->bo->get_long_status($short_status).'':$this->bo->get_long_status($short_status)).')'."\n";//RB_NEED_WORK } } $var[] = Array( @@ -3125,7 +3134,7 @@ $open_link = ' - '; $close_link = ''; - if(!$this->bo->printer_friendly && $this->bo->check_perms(PHPGW_ACL_ADD)) + if(!$this->bo->printer_friendly && $this->bo->rb_check_perms(PHPGW_ACL_ADD)) { $new_hour = intval(substr($dtime,0,strpos($dtime,':'))); if ($this->bo->prefs['common']['timeformat'] == '12' && $i > 12) @@ -3357,7 +3366,7 @@ 'calendar_action' => ($event['id']?lang('Calendar - Edit'):lang('Calendar - Add')), 'action_url' => $GLOBALS['phpgw']->link('/index.php',Array('menuaction'=>'calendar.bocalendar.update')), 'common_hidden' => ''."\n" - . ''."\n" + . ''."\n" . ''."\n" . ($GLOBALS['HTTP_GET_VARS']['cal_id'] && $event['id'] == 0?''."\n": (@isset($event['reference'])?''."\n":'')) @@ -3468,17 +3477,18 @@ if(!isset($GLOBALS['phpgw_info']['server']['deny_user_grants_access']) || !$GLOBALS['phpgw_info']['server']['deny_user_grants_access']) { $accounts = $GLOBALS['phpgw']->acl->get_ids_for_location('run',1,'calendar'); + $users = Array(); - $this->build_part_list($users,$accounts,$this->bo->owner); - + $this->build_part_list($users,$accounts,$event['owner']); //RB was $this->bo->owner); + // if the calendar of a group was selected all participants of this group got removed from the participants list $str = ''; @asort($users); @reset($users); while (list($id,$user_array) = each($users)) { - if($id != intval($this->bo->owner)) + if($id != intval($event['owner']/*RB$this->bo->owner*/)) { - $str .= ' '."\n"; + $str .= ' '."\n"; } } $var[] = Array( @@ -3487,7 +3497,7 @@ ); // I Participate - if((($event['id'] > 0) && isset($event['participants'][$this->bo->owner])) || !$event['id']) + if((($event['id'] > 0) && isset($event['participants'][$event['owner']/*RB$this->bo->owner*/])) || !$event['id']) { $checked = ' checked'; } @@ -3496,8 +3506,8 @@ $checked = ''; } $var[] = Array( - 'field' => $GLOBALS['phpgw']->common->grab_owner_name($this->bo->owner).' '.lang('Participates'), - 'data' => '' + 'field' => $GLOBALS['phpgw']->common->grab_owner_name($event['owner']/*RB$this->bo->owner*/).' '.lang('Participates'), + 'data' => '' ); } @@ -3689,7 +3699,7 @@ $extra = ''; } - if(!$this->bo->printer_friendly && $this->bo->check_perms(PHPGW_ACL_ADD)) + if(!$this->bo->printer_friendly && $this->bo->rb_check_perms(PHPGW_ACL_ADD)) { $new_event = True; }