fixed bug: GroupDAV/CardDAV PUT request to /addressbook/ changes owner, also checking now required ACL for moving contacts between addressbooks

This commit is contained in:
Ralf Becker 2010-10-20 15:47:30 +00:00
parent 4e65bde081
commit e86f5fb663
2 changed files with 18 additions and 8 deletions

View File

@ -299,9 +299,10 @@ class addressbook_groupdav extends groupdav_handler
* @param array &$options
* @param int $id
* @param int $user=null account_id of owner, default null
* @param string $prefix=null user prefix from path (eg. /ralf from /ralf/addressbook)
* @return mixed boolean true on success, false on failure or string with http status (eg. '404 Not Found')
*/
function put(&$options,$id,$user=null)
function put(&$options,$id,$user=null,$prefix=null)
{
if ($this->debug) error_log(__METHOD__.'('.array2string($options).",$id,$user)");
@ -383,12 +384,21 @@ class addressbook_groupdav extends groupdav_handler
$contact['id'] = $oldContact['id'];
// dont allow the client to overwrite certain values
$contact['uid'] = $oldContact['uid'];
//$contact['owner'] = $oldContact['owner'];
$contact['owner'] = $oldContact['owner'];
$contact['private'] = $oldContact['private'];
}
// only set owner, if user is explicitly specified in URL (check via prefix, NOT for /addressbook/ !)
if ($prefix)
{
// check for modified owners, if user has an add right for the new addressbook and
// delete rights for the old addressbook (_common_get_put_delete checks for PUT only EGW_ACL_EDIT)
if ($oldContact && $user != $oldContact['owner'] && !($this->bo->grants[$user] & EGW_ACL_ADD) &&
(!$this->bo->grants[$oldContact['owner']] & EGW_ACL_DELETE))
{
return '403 Forbidden';
}
$contact['owner'] = $user;
}
if ($this->http_if_match) $contact['etag'] = self::etag2value($this->http_if_match);
if (!($save_ok = $this->bo->save($contact)))

View File

@ -732,13 +732,13 @@ class groupdav extends HTTP_WebDAV_Server
if ($this->debug) error_log(__METHOD__.'('.array2string($options).')');
if (!$this->_parse_path($options['path'],$id,$app,$user))
if (!$this->_parse_path($options['path'],$id,$app,$user,$prefix))
{
return '404 Not Found';
}
if (($handler = self::app_handler($app)))
{
$status = $handler->put($options,$id,$user);
$status = $handler->put($options,$id,$user,$prefix);
// set default stati: true --> 204 No Content, false --> should be already handled
if (is_bool($status)) $status = $status ? '204 No Content' : '400 Something went wrong';
return $status;
@ -946,7 +946,7 @@ class groupdav extends HTTP_WebDAV_Server
list($id) = explode('.',$id); // remove evtl. .ics extension
}
$ok = $id && $user && in_array($app,array('addressbook','calendar','infolog','principals','groups'));
$ok = $id && $user && in_array($app,array('addressbook','calendar','infolog','principals'));
if ($this->debug)
{
error_log(__METHOD__."('$path') returning " . ($ok ? 'true' : 'false') . ": id='$id', app='$app', user='$user', user_prefix='$user_prefix'");