nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-05-28 03:04:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Enforce tight restrictions on viewing other people's collection contents.

Browse Source
This commit is contained in:
Andrew McMillan 2007-05-09 14:09:47 +12:00
parent d2751f18a6
commit 106b0f933d
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
htdocs/collection.php
View File

@ -5,6 +5,14 @@ $session->LoginRequired();
require_once("interactive-page.php");
$user_no = ( isset($_GET['user_no']) ? intval($_GET['user_no']) : 0 );
if ( !$session->AllowedTo("Admin") && ($user_no == 0 || $user_no != $session->user_no) ) {
$c->messages[] = "You may only review the contents of your own collections in this interface.";
include("page-header.php");
include("page-footer.php");
exit(0);
}
require_once("classBrowser.php");
$c->stylesheets[] = "css/browse.css";
@ -20,8 +28,8 @@ require_once("interactive-page.php");
$browser->AddColumn( 'rrule', translate('Repeat Rule') );
$browser->SetJoins( 'caldav_data JOIN calendar_item USING ( user_no, dav_name ) ' );
if ( isset($_GET['user_no']) ) {
$browser->SetWhere( "user_no=" . intval($_GET['user_no']) );
if ( $user_no > 0 ) {
$browser->SetWhere( "user_no=$user_no" );
}
if ( isset($_GET['dav_name']) ) {
$browser->SetWhere( "dav_name ~ " . qpg("^".$_GET['dav_name']."[^/]+$") );
@ -37,7 +45,6 @@ require_once("interactive-page.php");
$browser->DoQuery();
include("page-header.php");
echo $browser->Render();