nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-04-25 15:10:13 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

New style privilege checking.

Browse Source
This commit is contained in:
Andrew McMillan 2009-12-27 09:47:26 +13:00
parent 4e535a8dee
commit 1a0f6984f9
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
inc/caldav-GET.php
View File

@ -12,9 +12,8 @@ dbg_error_log("get", "GET method handler");
require_once("iCalendar.php");
if ( ! $request->AllowedTo('freebusy') ) {
$request->DoResponse( 403, translate("You may not access that calendar") );
}
$request->NeedPrivilege( array('urn:ietf:params:xml:ns:caldav:read-free-busy','DAV::read') );
if ( $request->IsCollection() ) {
if ( $request->IsCalendar() ) {
@ -42,6 +41,7 @@ if ( !$qry->Exec("GET") ) {
}
else if ( $qry->rows == 1 && ! $request->IsCollection() ) {
$event = $qry->Fetch();
$resource = new iCalComponent( $event->caldav_data );
/** Default deny... */
$allowed = false;
@ -55,7 +55,7 @@ else if ( $qry->rows == 1 && ! $request->IsCollection() ) {
}
else if ( $event->class != 'PRIVATE' ) {
$allowed = true; // but we may well obfuscate it below
if ( ! $request->AllowedTo('read') || ( $event->class == 'CONFIDENTIAL' && ! $request->AllowedTo('modify') ) ) {
if ( ! $request->HavePrivilegeTo('DAV::read') || ( $event->class == 'CONFIDENTIAL' && ! $request->HavePrivilegeTo('DAV::write-content') ) ) {
// The user is not admin / owner of this calendarlooking at his calendar and can not admin the other cal,
// or maybe they don't have *read* access but they got here, so they must at least have free/busy access
// so we will present an obfuscated version of the event that just says "Busy" (translated :-)
@ -136,7 +136,7 @@ else {
/** No visibility even of the existence of these events if they aren't admin/owner/attendee */
if ( $event->class == 'PRIVATE' ) continue;
if ( ! $request->AllowedTo('read') || $event->class == 'CONFIDENTIAL' ) {
if ( ! $request->HavePrivilegeTo('DAV::read') || $event->class == 'CONFIDENTIAL' ) {
// The user is not admin / owner of this calendar looking at his calendar and can not admin the other cal,
// or maybe they don't have *read* access but they got here, so they must at least have free/busy access
// so we will present an obfuscated version of the event that just says "Busy" (translated :-)