From f33de018f38b2576c7e8eee39b10afcc6ef4f605 Mon Sep 17 00:00:00 2001
From: Andrew McMillan <andrew@morphoss.com>
Date: Sat, 26 Dec 2009 12:37:02 +1300
Subject: [PATCH] Deny visibility of DAV::current-user-principal-set and
 DAV::acl as appropriate.

---
 inc/DAVResource.php | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/inc/DAVResource.php b/inc/DAVResource.php
index dbebeb77..eab52e50 100644
--- a/inc/DAVResource.php
+++ b/inc/DAVResource.php
@@ -1070,7 +1070,12 @@ EOQRY;
         break;
 
       case 'DAV::current-user-privilege-set':
-        $reply->NSElement($prop, $tag, $this->BuildPrivileges() );
+        if ( $this->HavePrivilegeTo('DAV::read-current-user-privilege-set') ) {
+          $reply->NSElement($prop, $tag, $this->BuildPrivileges() );
+        }
+        else {
+          $denied[] = $tag;
+        }
         break;
 
       case 'urn:ietf:params:xml:ns:caldav:supported-calendar-data':
@@ -1137,7 +1142,12 @@ EOQRY;
         break;
 
       case 'DAV::acl':
-        $reply->NSElement($prop, $tag, $this->GetACL( $reply ) );
+        if ( $this->HavePrivilegeTo('DAV::read-acl') ) {
+          $reply->NSElement($prop, $tag, $this->GetACL( $reply ) );
+        }
+        else {
+          $denied[] = $tag;
+        }
         break;
 
       default: