From a6fccffb8614e801f9361b22e672c844009d8f32 Mon Sep 17 00:00:00 2001
From: Andrew McMillan <debian@mcmillan.net.nz>
Date: Wed, 22 Nov 2006 21:07:04 +1300
Subject: [PATCH] When listing users we should not list users that we have no
 access to.

---
 inc/caldav-PROPFIND.php                       |  3 +-
 .../regression-suite/002-Mulberry-1.result    | 69 +------------------
 2 files changed, 4 insertions(+), 68 deletions(-)

diff --git a/inc/caldav-PROPFIND.php b/inc/caldav-PROPFIND.php
index 8e3086c5..c416aa44 100644
--- a/inc/caldav-PROPFIND.php
+++ b/inc/caldav-PROPFIND.php
@@ -209,7 +209,8 @@ function get_collection_contents( $depth, $user_no, $collection ) {
     */
     if ( $collection->dav_name == '/' ) {
       $sql = "SELECT user_no, user_no, '/' || username || '/' AS dav_name, md5( '/' || username || '/') AS dav_etag, ";
-      $sql .= "updated AS created, to_char(updated at time zone 'GMT',?) AS modified, fullname AS dav_displayname, FALSE AS is_calendar FROM usr";
+      $sql .= "updated AS created, to_char(updated at time zone 'GMT',?) AS modified, fullname AS dav_displayname, FALSE AS is_calendar FROM usr ";
+      $sql .= "WHERE user_no=$session->user_no OR get_permissions($session->user_no,user_no) ~ 'R';";
     }
     else {
       $sql = "SELECT user_no, dav_name, dav_etag, created, to_char(modified at time zone 'GMT',?), dav_displayname, is_calendar FROM collection WHERE parent_container=".qpg($collection->dav_name);
diff --git a/testing/tests/regression-suite/002-Mulberry-1.result b/testing/tests/regression-suite/002-Mulberry-1.result
index ef9f2051..3a556115 100644
--- a/testing/tests/regression-suite/002-Mulberry-1.result
+++ b/testing/tests/regression-suite/002-Mulberry-1.result
@@ -1,8 +1,8 @@
 HTTP/1.1 207 Multi-Status
 Date: Dow, 01 Jan 2000 00:00:00 GMT
 Server: Apache/2.2.3 (Debian) DAV/2
-ETag: "1e91289a2ef6640fadb7d5c9e6c5ebbb"
-Content-Length: 3214
+ETag: "c6f452525856be90cb2193abb6151a59"
+Content-Length: 1790
 Content-Type: text/xml;charset=UTF-8
 
 <?xml version="1.0" encoding="UTF-8" ?>
@@ -20,32 +20,6 @@ Content-Type: text/xml;charset=UTF-8
    <status>HTTP/1.1 200 OK</status>
   </propstat>
  </response>
- <response>
-  <href>/caldav.php/admin/</href>
-  <propstat>
-   <prop>
-    <getcontentlength/>
-    <getcontenttype>httpd/unix-directory</getcontenttype>
-    <resourcetype>
-     <collection/>
-    </resourcetype>
-   </prop>
-   <status>HTTP/1.1 200 OK</status>
-  </propstat>
- </response>
- <response>
-  <href>/caldav.php/andrew/</href>
-  <propstat>
-   <prop>
-    <getcontentlength/>
-    <getcontenttype>httpd/unix-directory</getcontenttype>
-    <resourcetype>
-     <collection/>
-    </resourcetype>
-   </prop>
-   <status>HTTP/1.1 200 OK</status>
-  </propstat>
- </response>
  <response>
   <href>/caldav.php/user1/</href>
   <propstat>
@@ -59,19 +33,6 @@ Content-Type: text/xml;charset=UTF-8
    <status>HTTP/1.1 200 OK</status>
   </propstat>
  </response>
- <response>
-  <href>/caldav.php/user2/</href>
-  <propstat>
-   <prop>
-    <getcontentlength/>
-    <getcontenttype>httpd/unix-directory</getcontenttype>
-    <resourcetype>
-     <collection/>
-    </resourcetype>
-   </prop>
-   <status>HTTP/1.1 200 OK</status>
-  </propstat>
- </response>
  <response>
   <href>/caldav.php/manager1/</href>
   <propstat>
@@ -124,30 +85,4 @@ Content-Type: text/xml;charset=UTF-8
    <status>HTTP/1.1 200 OK</status>
   </propstat>
  </response>
- <response>
-  <href>/caldav.php/resmgr1/</href>
-  <propstat>
-   <prop>
-    <getcontentlength/>
-    <getcontenttype>httpd/unix-directory</getcontenttype>
-    <resourcetype>
-     <collection/>
-    </resourcetype>
-   </prop>
-   <status>HTTP/1.1 200 OK</status>
-  </propstat>
- </response>
- <response>
-  <href>/caldav.php/teamclient1/</href>
-  <propstat>
-   <prop>
-    <getcontentlength/>
-    <getcontenttype>httpd/unix-directory</getcontenttype>
-    <resourcetype>
-     <collection/>
-    </resourcetype>
-   </prop>
-   <status>HTTP/1.1 200 OK</status>
-  </propstat>
- </response>
 </multistatus>