forked from extern/egroupware
fixed bug: GroupDAV/CardDAV PUT request to /addressbook/ changes owner, also checking now required ACL for moving contacts between addressbooks
This commit is contained in:
parent
4e65bde081
commit
e86f5fb663
@ -299,9 +299,10 @@ class addressbook_groupdav extends groupdav_handler
|
||||
* @param array &$options
|
||||
* @param int $id
|
||||
* @param int $user=null account_id of owner, default null
|
||||
* @param string $prefix=null user prefix from path (eg. /ralf from /ralf/addressbook)
|
||||
* @return mixed boolean true on success, false on failure or string with http status (eg. '404 Not Found')
|
||||
*/
|
||||
function put(&$options,$id,$user=null)
|
||||
function put(&$options,$id,$user=null,$prefix=null)
|
||||
{
|
||||
if ($this->debug) error_log(__METHOD__.'('.array2string($options).",$id,$user)");
|
||||
|
||||
@ -383,12 +384,21 @@ class addressbook_groupdav extends groupdav_handler
|
||||
$contact['id'] = $oldContact['id'];
|
||||
// dont allow the client to overwrite certain values
|
||||
$contact['uid'] = $oldContact['uid'];
|
||||
//$contact['owner'] = $oldContact['owner'];
|
||||
$contact['owner'] = $oldContact['owner'];
|
||||
$contact['private'] = $oldContact['private'];
|
||||
}
|
||||
|
||||
// only set owner, if user is explicitly specified in URL (check via prefix, NOT for /addressbook/ !)
|
||||
if ($prefix)
|
||||
{
|
||||
// check for modified owners, if user has an add right for the new addressbook and
|
||||
// delete rights for the old addressbook (_common_get_put_delete checks for PUT only EGW_ACL_EDIT)
|
||||
if ($oldContact && $user != $oldContact['owner'] && !($this->bo->grants[$user] & EGW_ACL_ADD) &&
|
||||
(!$this->bo->grants[$oldContact['owner']] & EGW_ACL_DELETE))
|
||||
{
|
||||
return '403 Forbidden';
|
||||
}
|
||||
$contact['owner'] = $user;
|
||||
|
||||
}
|
||||
if ($this->http_if_match) $contact['etag'] = self::etag2value($this->http_if_match);
|
||||
|
||||
if (!($save_ok = $this->bo->save($contact)))
|
||||
|
@ -732,13 +732,13 @@ class groupdav extends HTTP_WebDAV_Server
|
||||
|
||||
if ($this->debug) error_log(__METHOD__.'('.array2string($options).')');
|
||||
|
||||
if (!$this->_parse_path($options['path'],$id,$app,$user))
|
||||
if (!$this->_parse_path($options['path'],$id,$app,$user,$prefix))
|
||||
{
|
||||
return '404 Not Found';
|
||||
}
|
||||
if (($handler = self::app_handler($app)))
|
||||
{
|
||||
$status = $handler->put($options,$id,$user);
|
||||
$status = $handler->put($options,$id,$user,$prefix);
|
||||
// set default stati: true --> 204 No Content, false --> should be already handled
|
||||
if (is_bool($status)) $status = $status ? '204 No Content' : '400 Something went wrong';
|
||||
return $status;
|
||||
@ -946,7 +946,7 @@ class groupdav extends HTTP_WebDAV_Server
|
||||
list($id) = explode('.',$id); // remove evtl. .ics extension
|
||||
}
|
||||
|
||||
$ok = $id && $user && in_array($app,array('addressbook','calendar','infolog','principals','groups'));
|
||||
$ok = $id && $user && in_array($app,array('addressbook','calendar','infolog','principals'));
|
||||
if ($this->debug)
|
||||
{
|
||||
error_log(__METHOD__."('$path') returning " . ($ok ? 'true' : 'false') . ": id='$id', app='$app', user='$user', user_prefix='$user_prefix'");
|
||||
|
Loading…
Reference in New Issue
Block a user