From 51576df4908e8d9f8c8a0a41224514e4a095d3dd Mon Sep 17 00:00:00 2001
From: Andrew McMillan <andrew@morphoss.com>
Date: Tue, 4 Jan 2011 17:08:22 +1300
Subject: [PATCH] Obfuscate event data when reader only has read-free-busy
 permission.

Signed-off-by: Andrew McMillan <andrew@morphoss.com>
---
 inc/DAVResource.php   | 22 ++++++++++++++++------
 issues/i_1378ca0a.cil |  6 +++---
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/inc/DAVResource.php b/inc/DAVResource.php
index 3addb3cd..4dff874d 100644
--- a/inc/DAVResource.php
+++ b/inc/DAVResource.php
@@ -12,6 +12,7 @@
 require_once('AwlCache.php');
 require_once('AwlQuery.php');
 require_once('DAVTicket.php');
+require_once('iCalendar.php');
 
 
 /**
@@ -260,8 +261,18 @@ class DAVResource
     else {
       $this->resourcetypes = '';
       if ( isset($this->resource->caldav_data) ) {
-        if ( substr($this->resource->caldav_data,0,15) == 'BEGIN:VCALENDAR' ) {
+        $this->resource->displayname = $this->resource->summary;
+        if ( strtoupper(substr($this->resource->caldav_data,0,15)) == 'BEGIN:VCALENDAR' ) {
           $this->contenttype = 'text/calendar';
+          if ( !$this->HavePrivilegeTo('read') && $this->HavePrivilegeTo('read-free-busy') ) {
+            $vcal = new iCalComponent($this->resource->caldav_data);
+            $confidential = $vcal->CloneConfidential();
+            $this->resource->caldav_data = $confidential->Render();
+            $this->resource->displayname = $this->resource->summary = translate('Busy');
+            $this->resource->description = null;
+            $this->resource->location = null;
+            $this->resource->url = null;
+          }
         }
         else if ( strtoupper(substr($this->resource->caldav_data,0,11)) == 'BEGIN:VCARD' ) {
           $this->contenttype = 'text/vcard';
@@ -269,7 +280,6 @@ class DAVResource
         else if ( strtoupper(substr($this->resource->caldav_data,0,11)) == 'BEGIN:VLIST' ) {
           $this->contenttype = 'text/x-vlist';
         }
-        $this->resource->displayname = $this->resource->summary;
       }
     }
   }
@@ -479,7 +489,7 @@ EOSQL;
       }
       @dbg_error_log( 'DAVResource', ':FetchCollection: Read cached collection named "%s" of type "%s".', $this->collection->dav_name, $this->collection->type );
     }
-
+    
     if ( isset($this->collection->bound_from) ) {
       $this->_is_binding = true;
       $this->bound_from = str_replace( $this->collection->bound_to, $this->collection->bound_from, $this->dav_name);
@@ -1478,9 +1488,9 @@ EOQRY;
         break;
 
       case 'DAV::owner':
-        // After a careful reading of RFC3744 we see that this must be the principal-URL of the owner
-        $owner_url = ( isset($this->_is_binding) && $this->_is_binding ? $this->collection->bind_owner_url : $this->principal_url() );
-        $reply->DAVElement( $prop, 'owner', $reply->href( $owner_url ) );
+        // The principal-URL of the owner
+        if ( !isset($this->principal) ) $this->FetchPrincipal();
+        $reply->DAVElement( $prop, 'owner', $reply->href( $this->principal->url() ) );
         break;
 
       // Empty tag responses.
diff --git a/issues/i_1378ca0a.cil b/issues/i_1378ca0a.cil
index 12921271..e5e46ded 100644
--- a/issues/i_1378ca0a.cil
+++ b/issues/i_1378ca0a.cil
@@ -1,9 +1,9 @@
 Summary: DAVResource should sometimes obfuscate resource data
-Status: New
+Status: Finished
 CreatedBy: Andrew McMillan <andrew@morphoss.com>
-AssignedTo: 
+AssignedTo: Andrew McMillan <andrew@morphoss.com>
 Inserted: 2011-01-02T21:25:18
-Updated: 2011-01-02T21:25:18
+Updated: 2011-01-04T04:06:12
 
 When freebusy permissions are available, DAVResource will sometimes
 be called on to provide the real resource data, and in such cases