nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-06-03 04:00:16 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix deletion from RW accessible calendar which is not yours.

Browse Source
This commit is contained in:
Andrew McMillan 2006-11-22 07:14:47 +13:00
parent e21580f983
commit b4cfd93fd7
1 changed files with 9 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
inc/caldav-DELETE.php
View File

@ -16,8 +16,9 @@ dbg_error_log("delete", "DELETE method handler");
* truth about Evolution's broken handling of this: http://bugzilla.gnome.org/show_bug.cgi?id=349573
*/
if ( !isset($etag_if_match) && isset($etag_none_match) && preg_match('#Evolution/([0-9.]+)#', $_SERVER['HTTP_USER_AGENT'], $matches ) ) {
if ( doubleval($matches[1]) <= 1.8 ) {
if ( !isset($etag_if_match) && isset($etag_none_match) && isset($_SERVER['HTTP_USER_AGENT'])
&& preg_match('#Evolution/([0-9]+[.][0-9]+)#', $_SERVER['HTTP_USER_AGENT'], $matches ) ) {
if ( doubleval($matches[1]) <= 1.9 ) {
$etag_if_match = $etag_none_match;
unset($etag_none_match);
}
@ -34,36 +35,33 @@ if ( !isset($permissions['write']) ) {
}
/**
* Wr read the resource first, so we can check if it matches (or does not match)
* We read the resource first, so we can check if it matches (or does not match)
*/
$qry = new PgQuery( "SELECT * FROM caldav_data WHERE user_no = ? AND dav_name = ?;", (isset($path_user_no)?$path_user_no:$session->user_no), $request_path );
if ( $qry->Exec("DELETE") && $qry->rows == 1 ) {
$delete_row = $qry->Fetch();
if ( (isset($etag_none_match) && $etag_none_match == $delete_row->dav_etag) || (isset($etag_if_match) && $etag_if_match != $delete_row->dav_etag) ) {
if ( (isset($etag_if_match) && $etag_if_match != $delete_row->dav_etag) ) {
header("HTTP/1.1 412 Precondition Failed");
header("Content-type: text/plain");
if ( isset($etag_none_match) && $etag_none_match == $delete_row->dav_etag ) {
echo "Resource matches 'If-None-Match' header - not deleted\n";
}
if ( isset($etag_if_match) && $etag_if_match != $delete_row->dav_etag ) {
echo "Resource does not match 'If-Match' header - not deleted\n";
}
exit(0);
}
$qry = new PgQuery( "DELETE FROM caldav_data WHERE user_no = ? AND dav_name = ? $only_this_etag;", $session->user_no, $request_path );
$qry = new PgQuery( "DELETE FROM caldav_data WHERE user_no = ? AND dav_name = ?;", (isset($path_user_no)?$path_user_no:$session->user_no), $request_path );
if ( $qry->Exec("DELETE") ) {
header("HTTP/1.1 200 Deleted", true, 200);
header("Content-length: 0");
dbg_error_log( "DELETE", "DELETE: User: %d, ETag: %s, Path: %s", $session->user_no, $etag_none_match, $request_path);
@dbg_error_log( "DELETE", "DELETE: User: %d, ETag: %s, Path: %s", $session->user_no, $etag_if_match, $request_path);
}
else {
header("HTTP/1.1 500 Infernal Server Error");
dbg_error_log( "DELETE", "DELETE failed: User: %d, ETag: %s, Path: %s, SQL: %s", $session->user_no, $etag_none_match, $request_path, $qry->querystring);
@dbg_error_log( "DELETE", "DELETE failed: User: %d, ETag: %s, Path: %s, SQL: %s", $session->user_no, $etag_if_match, $request_path, $qry->querystring);
}
}
else {
header("HTTP/1.1 404 Not Found");
dbg_error_log( "DELETE", "DELETE row not found: User: %d, ETag: %s, Path: %s", $qry->rows, $session->user_no, $etag_none_match, $request_path);
@dbg_error_log( "DELETE", "DELETE row not found: User: %d, ETag: %s, Path: %s", $qry->rows, $session->user_no, $etag_if_match, $request_path);
}
?>