From b4cfd93fd7800d60aa3eb5c6909d8b4beea604a1 Mon Sep 17 00:00:00 2001
From: Andrew McMillan <debian@mcmillan.net.nz>
Date: Wed, 22 Nov 2006 07:14:47 +1300
Subject: [PATCH] Fix deletion from RW accessible calendar which is not yours.

---
 inc/caldav-DELETE.php | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/inc/caldav-DELETE.php b/inc/caldav-DELETE.php
index c7f381a6..9a2fc8ee 100644
--- a/inc/caldav-DELETE.php
+++ b/inc/caldav-DELETE.php
@@ -16,8 +16,9 @@ dbg_error_log("delete", "DELETE method handler");
 * truth about Evolution's broken handling of this: http://bugzilla.gnome.org/show_bug.cgi?id=349573
 */
 
-if ( !isset($etag_if_match) && isset($etag_none_match) && preg_match('#Evolution/([0-9.]+)#', $_SERVER['HTTP_USER_AGENT'], $matches ) ) {
-  if ( doubleval($matches[1]) <= 1.8 ) {
+if ( !isset($etag_if_match) && isset($etag_none_match) && isset($_SERVER['HTTP_USER_AGENT'])
+          && preg_match('#Evolution/([0-9]+[.][0-9]+)#', $_SERVER['HTTP_USER_AGENT'], $matches ) ) {
+  if ( doubleval($matches[1]) <= 1.9 ) {
     $etag_if_match = $etag_none_match;
     unset($etag_none_match);
   }
@@ -34,36 +35,33 @@ if ( !isset($permissions['write']) ) {
 }
 
 /**
-* Wr read the resource first, so we can check if it matches (or does not match)
+* We read the resource first, so we can check if it matches (or does not match)
 */
 $qry = new PgQuery( "SELECT * FROM caldav_data WHERE user_no = ? AND dav_name = ?;", (isset($path_user_no)?$path_user_no:$session->user_no), $request_path );
 if ( $qry->Exec("DELETE") && $qry->rows == 1 ) {
   $delete_row = $qry->Fetch();
-  if ( (isset($etag_none_match) && $etag_none_match == $delete_row->dav_etag) || (isset($etag_if_match) && $etag_if_match != $delete_row->dav_etag) ) {
+  if ( (isset($etag_if_match) && $etag_if_match != $delete_row->dav_etag) ) {
     header("HTTP/1.1 412 Precondition Failed");
     header("Content-type: text/plain");
-    if ( isset($etag_none_match) && $etag_none_match == $delete_row->dav_etag ) {
-      echo "Resource matches 'If-None-Match' header - not deleted\n";
-    }
     if ( isset($etag_if_match) && $etag_if_match != $delete_row->dav_etag ) {
       echo "Resource does not match 'If-Match' header - not deleted\n";
     }
     exit(0);
   }
-  $qry = new PgQuery( "DELETE FROM caldav_data WHERE user_no = ? AND dav_name = ? $only_this_etag;", $session->user_no, $request_path );
+  $qry = new PgQuery( "DELETE FROM caldav_data WHERE user_no = ? AND dav_name = ?;", (isset($path_user_no)?$path_user_no:$session->user_no), $request_path );
   if ( $qry->Exec("DELETE") ) {
     header("HTTP/1.1 200 Deleted", true, 200);
     header("Content-length: 0");
-    dbg_error_log( "DELETE", "DELETE: User: %d, ETag: %s, Path: %s", $session->user_no, $etag_none_match, $request_path);
+    @dbg_error_log( "DELETE", "DELETE: User: %d, ETag: %s, Path: %s", $session->user_no, $etag_if_match, $request_path);
   }
   else {
     header("HTTP/1.1 500 Infernal Server Error");
-    dbg_error_log( "DELETE", "DELETE failed: User: %d, ETag: %s, Path: %s, SQL: %s", $session->user_no, $etag_none_match, $request_path, $qry->querystring);
+    @dbg_error_log( "DELETE", "DELETE failed: User: %d, ETag: %s, Path: %s, SQL: %s", $session->user_no, $etag_if_match, $request_path, $qry->querystring);
   }
 }
 else {
   header("HTTP/1.1 404 Not Found");
-  dbg_error_log( "DELETE", "DELETE row not found: User: %d, ETag: %s, Path: %s", $qry->rows, $session->user_no, $etag_none_match, $request_path);
+  @dbg_error_log( "DELETE", "DELETE row not found: User: %d, ETag: %s, Path: %s", $qry->rows, $session->user_no, $etag_if_match, $request_path);
 }
 
 ?>
\ No newline at end of file