nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-04-29 15:51:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Enforce permissions on multiget, which might conceivably be retrieving events

Browse Source 
from multiple calendars in one pass.
This commit is contained in:
Andrew McMillan 2008-01-25 07:59:45 +13:00
parent bae86da4f7
commit 59108071ba
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
inc/caldav-REPORT-multiget.php
View File

@ -47,15 +47,14 @@ $where = " WHERE caldav_data.dav_name ~ ".qpg("^".$request->path)." ";
if ( $href_in != "" ) {
$where .= " AND caldav_data.dav_name IN ( $href_in ) ";
}
if ( ! $request->AllowedTo('all') ) {
$where .= "AND (calendar_item.class != 'PRIVATE' OR calendar_item.class IS NULL) ";
}
$where .= "AND (calendar_item.class != 'PRIVATE' OR calendar_item.class IS NULL OR get_permissions($session->user_no,calendar_item.user_no) ~ 'A') ";
if ( isset($c->hide_TODO) && $c->hide_TODO && ! $request->AllowedTo('all') ) {
$where .= "AND caldav_data.caldav_type NOT IN ('VTODO') ";
}
$qry = new PgQuery( "SELECT * FROM caldav_data INNER JOIN calendar_item USING(user_no, dav_name)". $where );
$qry = new PgQuery( "SELECT * FROM caldav_data INNER JOIN calendar_item USING(dav_id, user_no, dav_name)". $where );
if ( isset($c->strict_result_ordering) && $c->strict_result_ordering ) $sql .= " ORDER BY dav_id";
if ( $qry->Exec("REPORT",__LINE__,__FILE__) && $qry->rows > 0 ) {
while( $calendar_object = $qry->Fetch() ) {
$responses[] = calendar_to_xml( $properties, $calendar_object );