From 106b0f933de7ee5de755b8b31c9dcfcbc1a070ea Mon Sep 17 00:00:00 2001
From: Andrew McMillan <debian@mcmillan.net.nz>
Date: Wed, 9 May 2007 14:09:47 +1200
Subject: [PATCH] Enforce tight restrictions on viewing other people's
 collection contents.

---
 htdocs/collection.php | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/htdocs/collection.php b/htdocs/collection.php
index 1fe47819..f24e3053 100644
--- a/htdocs/collection.php
+++ b/htdocs/collection.php
@@ -5,6 +5,14 @@ $session->LoginRequired();
 
 require_once("interactive-page.php");
 
+$user_no = ( isset($_GET['user_no']) ? intval($_GET['user_no']) : 0 );
+
+if ( !$session->AllowedTo("Admin") && ($user_no == 0 || $user_no != $session->user_no) ) {
+  $c->messages[] = "You may only review the contents of your own collections in this interface.";
+  include("page-header.php");
+  include("page-footer.php");
+  exit(0);
+}
 
   require_once("classBrowser.php");
   $c->stylesheets[] = "css/browse.css";
@@ -20,8 +28,8 @@ require_once("interactive-page.php");
   $browser->AddColumn( 'rrule', translate('Repeat Rule') );
 
   $browser->SetJoins( 'caldav_data JOIN calendar_item USING ( user_no, dav_name ) ' );
-  if ( isset($_GET['user_no']) ) {
-    $browser->SetWhere( "user_no=" . intval($_GET['user_no']) );
+  if ( $user_no > 0 ) {
+    $browser->SetWhere( "user_no=$user_no" );
   }
   if ( isset($_GET['dav_name']) ) {
     $browser->SetWhere( "dav_name ~ " . qpg("^".$_GET['dav_name']."[^/]+$") );
@@ -37,7 +45,6 @@ require_once("interactive-page.php");
 
   $browser->DoQuery();
 
-
 include("page-header.php");
 
 echo $browser->Render();