From 8f25a8a39319bedbcb80024e1af1a15d5e5b164d Mon Sep 17 00:00:00 2001
From: Andrew McMillan <andrew@morphoss.com>
Date: Sat, 15 Jan 2011 16:42:59 +1300
Subject: [PATCH] Block invalid tickets from having access.

Signed-off-by: Andrew McMillan <andrew@morphoss.com>
---
 htdocs/public.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/htdocs/public.php b/htdocs/public.php
index 4d15c9b8..2c9c61ca 100644
--- a/htdocs/public.php
+++ b/htdocs/public.php
@@ -20,11 +20,14 @@ header( "DAV: $dav");
 
 require_once("CalDAVRequest.php");
 $request = new CalDAVRequest();
-if ( !isset($request->ticket) && !$request->IsPublic()
-       || (isset($request->ticket) && $request->ticket->expired ) ) {
+if ( ! $request->IsPublic()
+           || ! isset($request->ticket)
+           || $request->ticket->expired
+           || ! $request->ticket->MatchesPath($request->path) ) {
   $request->DoResponse( 403, translate('Anonymous users may only access public calendars') );
 }
 
+
 switch ( $request->method ) {
   case 'OPTIONS':    include_once("caldav-OPTIONS.php");    break;
   case 'REPORT':     include_once("caldav-REPORT.php");     break;