nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-03-22 09:30:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,744 Commits 11 Branches 58 Tags 14 MiB
Commit Graph

56 Commits

Author SHA1 Message Date
Florian Schlichting
202e2edd5a tighten $c->list_everyone to look for DAV::read privilege and actually block access to principals and collections 
Groups really only exist in the davical web interface, CALDAV clients
discover principals and collections based on GRANTs such as the
DAV::read privilege, so use that for the web interface as well.

Also, not listing users is nice, actually blocking access to those users
(which can be enumerated with the id GET parameter) is a lot better.
 2021-02-09 01:54:32 +08:00
Klaus M Pfeiffer
042ce5f076 add feature list_everyone (fixes #59) 2021-02-08 17:41:28 +00:00
nielsvangijzen
c8a0ca4531 Fix CSRF not being checked in collection-edit.php 2019-12-06 09:30:16 +01:00
nielsvangijzen
86a8ec5302 Added CSRF to the application (took in account backwards compatibility) 
Mitigated the XSS vulnerabilities reported by HackDefense
Advisories for said vulnerabilities can be found here:
https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability
https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability
https://hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability
 2019-10-28 11:55:11 +01:00
Jamie McClymont
fe443bf2e6 Update instance range columns when a collection's timezone changes 
TODO: Handle the case where it is updated through the web UI
 2019-01-08 14:09:16 +13:00
Florian Schlichting
19eb79ebf9 provide defaults for unused function parameters (fixes #155) 
PHP 7.1 throws an exception when a user-defined function is called with
too few arguments: http://php.net/manual/en/migration71.incompatible.php

As explained in the comments, collection_privilege_format_function and
principal_privilege_format_function take three arguments because of
their use as a rendering callback, however the latter two of them are
never used and thus can be ommitted in other uses.
 2018-12-29 19:38:13 +01:00
Florian Schlichting
0ca04aaa68 UI: do not show tickets unless user has write access; they are like passwords 
Same with external URLs

Also restrict Delete buttons on incoming binds to Admins: these binds
will usually live in other people's namespace, which we should not
alter, and may be restricted to default privileges (e.g. freebusy)
anyway
 2017-01-11 00:10:21 +01:00
Florian Schlichting
ab7dad057d UI: use ExtraRowFormat to fix tooltip on action rows / buttons 2017-01-10 22:14:42 +01:00
Florian Schlichting
adce3f48a9 provide a .ics download link in collection view and document $c->get_includes_subcollections 2017-01-02 21:57:41 +01:00
Florian Schlichting
c0a2d6a7ee do not show edit buttons on admin pages when not allowed to edit 2016-12-30 18:47:46 +01:00
Florian Schlichting
f24c62531a inc/ui/collection-edit.php: display only privileges applicable for collections 2016-12-30 08:54:28 +01:00
Florian Schlichting
404d9ab449 fix remaining apigen errors (duplicate function names etc) 2016-12-30 08:54:24 +01:00
Florian Schlichting
eb7f2edc0c eliminate trailing whitespace, expand tabs 2016-12-30 08:52:44 +01:00
Florian Schlichting
38673060a1 Make "Toggle all privileges" button work on all forms 2015-12-16 00:08:21 +01:00
Jason Alavaliant
72dc5b1f39 fix the append box when importing collections 2013-09-02 15:02:47 +12:00
Christoph Anton Mitterer
8e60bb3124 set line endings of most text files to LF 
* Changed the end-of-line encodings of all non-Windows-related and non-autogenerated text files to use UNIX LF (lots of them had mixed LF/CRLF).

Conflicts:
	inc/caldav-PUT-functions.php
 2013-09-02 14:37:23 +12:00
Andrew McMillan
98fe8a9e19 Don't disable upload field. Use library to create 'append mode' field. 2012-05-15 00:21:35 +12:00
Andrew McMillan
f3b1f7fe98 Make the 'append' option work. 2012-01-30 22:25:02 -08:00
Andrew McMillan
2b26ca7d25 Enable the file upload for addressbook collections. 2012-01-13 17:34:11 +13:00
Andrew McMillan
23d454a6d0 The tooltips for schedule-send and schedule-deliver should be different! 2011-11-21 10:54:57 +13:00
Rob Ostensen
2de1327934 more external bind changes, added a clean up button, urls now show for external collections and added a few strings for translation 2011-10-24 21:18:04 +13:00
Andrew McMillan
5067d50215 Fix comment. 2011-10-10 13:48:05 +02:00
Andrew McMillan
2127c294a3 Various small fixes preparing for release. 
Correct logic for auto-creating addressbook for new user.
Fix non-creation of default addressbook.
Fix principal/collection edit to allow write of no privileges.
Fix collection edit timezone list to use new table.
Update davical & libawl version in always.php.
Regression test changes with update to davical.sql.
 2011-09-25 22:29:31 +13:00
Andrew McMillan
b901981c7c Fix calendar-query handling of properties. 2011-08-24 20:38:32 +12:00
Andrew McMillan
20ee255898 Refactor fetching of Principal records from database. 
This is a significant refactoring, replacing the old getUserBy*()
functions with a new Principal class, and replacing the old
CalDAVPrincipal class with a new DAVPrincipal class which extends
the Principal class.

At this point all regression tests pass (again) but there could
well be issues for people who use alternative authenticators
such as LDAP, although I have endeavoured to resolve those
potential issues.

Signed-off-by: Andrew McMillan <andrew@morphoss.com>
 2011-01-03 10:16:43 +13:00
Andrew McMillan
f305cdf4cb A few more places we need to ensure the collection is uncached. 
Signed-off-by: Andrew McMillan <andrew@morphoss.com>
 2011-01-01 21:55:55 +13:00
Andrew McMillan
5e4f574818 One final nail in PgQuery's coffin. 
Signed-off-by: Andrew McMillan <andrew@morphoss.com>
 2010-12-25 16:15:36 +13:00
Andrew McMillan
7f63f12e57 Better display of bindings. 2010-10-07 15:25:30 -04:00
Andrew McMillan
606375e6f1 [principal/collection edit] Add display of tickets and bindings. 2010-09-21 12:15:16 +12:00
Andrew McMillan
a46f8bf613 [collection-edit] Handle duplicate key error properly. Avoid SQL error on new. 2010-09-20 12:55:41 +12:00
Andrew McMillan
ef4a55a81b Order drop-down list of principals by displayname. 2010-08-18 21:36:52 +12:00
Andrew McMillan
1dab49a419 Provide visual feedback when users cannot edit a page. 2010-04-12 21:59:40 +12:00
Andrew McMillan
c0f7949ec4 Don't query the entries unless we actually have a collection. 2010-04-03 17:30:41 +13:00
Andrew McMillan
be3870fc36 Tidy logging. 2010-04-01 22:24:35 +13:00
Andrew McMillan
7a883ffa63 Fix incorrect parameter names in SQL query. 2010-03-22 17:23:59 +13:00
Rob Ostensen
d8e34dd211 include number of items in dav collection on collection edit page 2010-03-21 20:42:03 +13:00
Andrew McMillan
f109a963cc Correct privilege checking for modification of collection. 2010-03-14 12:15:44 +13:00
Andrew McMillan
6d6ea5a503 Nail the last (hopefully) missing reference to base_url. 2010-03-11 13:59:24 +13:00
Andrew McMillan
1959c30eed Validating user/collection names. Updating fullname/displayname. 2010-03-04 01:41:11 +13:00
Andrew McMillan
ecf57ce54e Updated collection / principal edit, with better l10n. 2010-03-02 14:39:57 +13:00
Andrew McMillan
d763312279 Use 'Revoke' rather than 'Delete' for grants, and 'Remove' for group members. 2010-02-28 20:13:10 +13:00
Andrew McMillan
03df4635e4 Strip slashes from collection names. They're too confusing. 2010-02-25 23:28:54 +13:00
Andrew McMillan
ef4ef353b5 Allow anything to be a collection name, but urlencode it. 2010-02-25 21:20:54 +13:00
Andrew McMillan
f1510c7670 Assign correct resourcetype on collection maintenance. 2010-02-25 09:40:55 +13:00
Andrew McMillan
87bb578cdf Fix the 'all' button action in grants update. 2010-02-24 14:00:33 +13:00
Andrew McMillan
39aec8c91c Making things more localisable. 2010-02-23 22:59:37 +13:00
Andrew McMillan
87816b2a05 Use htmlspecialchars rather than htmlentities, which screws up translations. 2010-02-23 22:59:36 +13:00
Andrew McMillan
154aaee283 Add better localisation support to principal / collection edit screens. 2010-02-18 21:13:31 +13:00
Andrew McMillan
8177d41be9 Edit Collections: Fix privileges to do this, and editing of privs. 2010-02-17 23:50:16 +13:00
Andrew McMillan
34ef2693a3 Make admin stuff work better in a subfolder. 2010-02-12 15:49:34 -08:00