diff --git a/inc/caldav-PROPFIND.php b/inc/caldav-PROPFIND.php index 6fa2a19a..65b3a807 100644 --- a/inc/caldav-PROPFIND.php +++ b/inc/caldav-PROPFIND.php @@ -607,13 +607,17 @@ function get_collection_contents( $depth, $user_no, $collection ) { */ if ( $request->AllowedTo('read') ) { dbg_error_log("PROPFIND","Getting collection items: Depth %d, User: %d, Path: %s", $depth, $user_no, $collection->dav_name ); + $privacy_clause = " "; + if ( ! $request->AllowedTo('all') ) { + $privacy_clause = " AND (calendar_item.class != 'PRIVATE' OR calendar_item.class IS NULL) "; + } $sql = "SELECT caldav_data.dav_name, caldav_data, caldav_data.dav_etag, "; $sql .= "to_char(coalesce(calendar_item.created, caldav_data.created) at time zone 'GMT',?) AS created, "; $sql .= "to_char(last_modified at time zone 'GMT',?) AS modified, "; $sql .= "summary AS dav_displayname "; - $sql .= "FROM caldav_data JOIN calendar_item USING( user_no, dav_name) WHERE dav_name ~ ".qpg('^'.$collection->dav_name.'[^/]+$'); - $sql .= " AND (calendar_item.class != 'PRIVATE' OR calendar_item.class IS NULL OR get_permissions($session->user_no,caldav_data.user_no) ~ 'A') "; // Must have 'all' permissions to see confidential items + $sql .= "FROM caldav_data JOIN calendar_item USING( user_no, dav_name) "; + $sql .= "WHERE dav_name ~ ".qpg('^'.$collection->dav_name.'[^/]+$'). $privacy_clause; $sql .= "ORDER BY caldav_data.dav_name "; $qry = new PgQuery($sql, PgQuery::Plain(iCalendar::HttpDateFormat()), PgQuery::Plain(iCalendar::HttpDateFormat())); if( $qry->Exec("PROPFIND",__LINE__,__FILE__) && $qry->rows > 0 ) { @@ -685,17 +689,21 @@ function get_collection( $depth, $user_no, $collection_path ) { * Get XML response for a single item. Depth is irrelevant for this. */ function get_item( $item_path ) { - global $session; + global $session, $request; $responses = array(); dbg_error_log("PROPFIND","Getting item: Path: %s", $item_path ); + $privacy_clause = " "; + if ( ! $request->AllowedTo('all') ) { + $privacy_clause = " AND (calendar_item.class != 'PRIVATE' OR calendar_item.class IS NULL) "; + } + $sql = "SELECT caldav_data.dav_name, caldav_data, caldav_data.dav_etag, "; $sql .= "to_char(coalesce(calendar_item.created, caldav_data.created) at time zone 'GMT',?) AS created, "; $sql .= "to_char(last_modified at time zone 'GMT',?) AS modified, "; $sql .= "summary AS dav_displayname "; - $sql .= "FROM caldav_data JOIN calendar_item USING( user_no, dav_name) WHERE dav_name = ? "; - $sql .= "AND (calendar_item.class != 'PRIVATE' OR calendar_item.class IS NULL OR get_permissions($session->user_no,caldav_data.user_no) ~ 'A') "; // Must have 'all' permissions to see confidential items + $sql .= "FROM caldav_data JOIN calendar_item USING( user_no, dav_name) WHERE dav_name = ? $privacy_clause"; $qry = new PgQuery($sql, PgQuery::Plain(iCalendar::HttpDateFormat()), PgQuery::Plain(iCalendar::HttpDateFormat()), $item_path); if( $qry->Exec("PROPFIND",__LINE__,__FILE__) && $qry->rows > 0 ) { while( $item = $qry->Fetch() ) {