nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-05-24 02:24:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Deny calendar-query report on root, principal or addressbook

Browse Source 
Even if recursive report is enabled.
This commit is contained in:
Andrew McMillan 2012-07-02 22:40:43 +12:00
parent c70c4e40a5
commit a555fdad40
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
inc/caldav-REPORT-calquery.php
View File

@ -303,6 +303,9 @@ if ( ! ($target_collection->IsCalendar() || $target_collection->IsSchedulingColl
if ( !(isset($c->allow_recursive_report) && $c->allow_recursive_report) ) {
$request->DoResponse( 403, translate('The calendar-query report must be run against a calendar or a scheduling collection') );
}
else if ( $request->path == '/' || $target_collection->IsPrincipal() || $target_collection->IsAddressbook() ) {
$request->DoResponse( 403, translate('The calendar-query report may not be run against that URL.') );
}
/**
* We're here because they allow recursive reports, and this appears to be such a location.
*/