nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-04-25 15:10:13 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,768 Commits 11 Branches 61 Tags 14 MiB
Commit Graph

1964 Commits

Author SHA1 Message Date
linda.fliss
e8b43e60db fixed debug injection 2022-02-18 15:55:36 +01:00
Andrew Ruthven
0913f8ca69 Fix another PHP 8.1 error 2022-02-18 23:11:50 +13:00
Andrew Ruthven
5f71ccae8b Limit results for get_include_subcollections 
Closes #231.
 2022-02-18 23:11:50 +13:00
Paul Waite
dd5bd9c282 Provide a facility for setting an override URL which will replace the Change Password UI, and the Forgotten Password UI with a clickable link. 2022-02-12 14:02:54 +00:00
Andrew Ruthven
cf0e2774f6 Fix a second time where the array might be false. 2022-02-13 01:46:44 +13:00
Raivo Hool
f42627c89f Fix iSchedule configuration with PHP 8 
Closes #252.
 2022-02-13 01:45:25 +13:00
Andrew Ruthven
8f5a1d2bcc Another fix for PHP 8.1 2022-02-13 01:34:55 +13:00
Andrew Ruthven
836c715a1c Fix the version of AWL we want. 
We do actually want 0.62.

Closes #253.
 2022-02-13 01:21:17 +13:00
Andrew Ruthven
02af0c58ee Further fixes for PHP 8.1 
I don't know why this only show up in the gitlab runners. I have PHP 8.1
locally.
 2022-02-13 01:04:47 +13:00
Andrew Ruthven
1c77febeb1 gmstrftime is deprecated in PHP 8.1 
Switch to using gmdate. One benefit is that gmdate doesn't respect
the locale, so we don't need the logic to hardcode the month
in English.
 2022-02-13 00:42:49 +13:00
Andrew Ruthven
f1a4dcee0c More fixes for PHP 8.1 2022-02-12 23:59:26 +13:00
Andrew Ruthven
5d56f6b5ea Allow "&'<> in passwords. 
We had already allowed these when changing a password, but they were
being escaped when logging in. Closes #259.
 2022-02-12 23:48:50 +13:00
Andrew Ruthven
8096807c6d Fixes for warnings in PHP 8.1 2022-02-12 23:41:28 +13:00
Andrew Ruthven
c26ad777a2 We need $privilege_names in the list of globals. 
Closes #250. Thank you to Laurent Hoareau and Jos Alsters.
 2021-09-19 02:56:19 +12:00
Piotr Filip
467a6bf890 fix: Rfc5545Duration __toString returns "P" when in_duration==0 2021-09-18 13:48:39 +00:00
Andrew Ruthven
1e5c1fd1f3 Disable the debug mode, leave extra debugging output available 2021-09-18 23:22:57 +12:00
Andrew Ruthven
19e69060b9 Enable more debugging so I can see timezone differences in CI 2021-09-18 22:15:27 +12:00
Andrew Ruthven
e4f48ddc1a For RRULE BYMONTHDAY skip expansions where the new day is not the day we expect. 
This fixes one of the issues raised in #248.
 2021-08-11 22:36:38 +12:00
Florian Schlichting
e92e981542 Listing External Calendars is part of the Administration menu and should be restricted to admins 
this could be made configurable, or lumped in with
$c->restrict_setup_to_admin, but non-admins only get here by manually
entering the URL...
 2021-02-09 01:54:32 +08:00
Florian Schlichting
202e2edd5a tighten $c->list_everyone to look for DAV::read privilege and actually block access to principals and collections 
Groups really only exist in the davical web interface, CALDAV clients
discover principals and collections based on GRANTs such as the
DAV::read privilege, so use that for the web interface as well.

Also, not listing users is nice, actually blocking access to those users
(which can be enumerated with the id GET parameter) is a lot better.
 2021-02-09 01:54:32 +08:00
Klaus M Pfeiffer
042ce5f076 add feature list_everyone (fixes #59) 2021-02-08 17:41:28 +00:00
Andrew Ruthven
ccedbd1be9 Include the UID of the card which caused us to hit the RRULE limit 
This will helpfully assist tracking down issues with recurrence rules.
 2021-02-06 20:19:03 +13:00
Florian Schlichting
b4f8f5a6c1 cardquery: ensure restriction to target collection remains in force even when we find that we need a post_filter step and thus throw away the SQL 
this ensures a sane (but still wrong) result for
carddav/2051-REPORT-carddavclient-ParamNotDefinedSome
 2021-02-05 02:01:09 +08:00
Florian Schlichting
75f62a81f6 fix PHP8 deprecation warnings: "Required parameter X follows optional parameter Y" 
Deprecated: Required parameter $username follows optional parameter $attributes in inc/drivers_ldap.php on line 190
Deprecated: Required parameter $passwd follows optional parameter $attributes in inc/drivers_ldap.php on line 190
Deprecated: Required parameter $ua_string follows optional parameter $min_age in inc/external-fetch.php on line 42

As explained in https://www.php.net/manual/en/migration80.deprecated.php,
    If a parameter with a default value is followed by a required
    parameter, the default value has no effect. This is deprecated as of
    PHP 8.0.0 and can generally be resolved by dropping the default
    value, without a change in functionality
 2021-02-03 23:25:51 +08:00
Jan Hicken
f376be164e Use brackets instead of curly braces for string offset access 
Curly braces have been deprecated in PHP 7.4 and unsupported in PHP 8.0.
 2021-02-03 14:57:57 +00:00
Piotr Filip
e98bf7b682 fix: events with recurrence rule are sometimes counted one too many times in freebusy 2021-01-25 00:08:13 +13:00
Florian Schlichting
e64fd2b868 LSID logins were removed from AWL, drop related bits in davical 2020-04-04 17:44:12 +02:00
Florian Schlichting
007bf95589 use foreach() instead of deprecated each() (fixes #190) 2019-12-06 18:21:08 +08:00
Florian Schlichting
e2c6b927c8 HTTP_REFERER will usually be unset for caldav requests, prevent "Undefined index" warnings 2019-12-06 18:17:18 +08:00
nielsvangijzen
c8a0ca4531 Fix CSRF not being checked in collection-edit.php 2019-12-06 09:30:16 +01:00
Jim Fenton
a3acb770ac release 1.1.9.1: fix XSS function lost in rebuild of always.php 2019-12-03 16:35:08 -08:00
Jim Fenton
072207e1c8 Merge branch '194-confidential-issue' 2019-12-03 14:39:40 -08:00
nielsvangijzen
1a917b30eb Addressed comments made by @puck42 2019-11-29 09:58:46 +01:00
Andrew Ruthven
d3a8771d01 Merge branch 'cprn/davical-master' 2019-11-26 23:00:09 +13:00
Andrew Ruthven
65ce5d443e Fix syntax 2019-11-26 22:51:37 +13:00
Andrew Ruthven
8e7866c550 Use a placeholder for another instance of collection_id 2019-11-26 22:24:49 +13:00
nielsvangijzen
86a8ec5302 Added CSRF to the application (took in account backwards compatibility) 
Mitigated the XSS vulnerabilities reported by HackDefense
Advisories for said vulnerabilities can be found here:
https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability
https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability
https://hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability
 2019-10-28 11:55:11 +01:00
Milan Crha
710bc6cccd Add missing 'break;' into RRule.php 2019-06-19 09:20:56 +00:00
Cyprian Guerra
2ba1d64b0c fixing Invalid parameter number: :collection_id 2019-03-28 10:52:32 +01:00
Florian Schlichting
75d4db9afb two more PHP5 curl 2019-03-11 22:46:37 +01:00
Andrew Ruthven
afe69f22d3 We need PHP curl, not specifically PHP5 curl 2019-03-07 16:15:34 +13:00
Jamie McClymont
9522fd5f3c Make range-based calendar queries use the new first_instance_start/last_instance_end columns 2019-02-28 16:00:19 +13:00
Jamie McClymont
b07019ed96 Make calquery expansion aware of the calendar default timezone 
This fixes cases where we emit floating times
 2019-02-28 16:00:19 +13:00
Florian Schlichting
97a2686459 fix more PHP7+ type hints for PHP5 compatibility (fixes #197) 2019-02-13 08:49:19 +01:00
Florian Schlichting
9bc94556b4 add users to new groups in the "update groups" step 
do not maintain the same code twice
 2019-01-30 22:28:58 +01:00
Florian Schlichting
8d622df3e5 honour do_not_sync_group_from_ldap when creating groups, correctly display all results 
same for groups
 2019-01-30 22:18:43 +01:00
Florian Schlichting
eb0e9a8aec honour do_not_sync_from_ldap when creating users, correctly display all results 
despite its name, $c->do_not_sync_from_ldap did not stop accounts in
LDAP from being created in Davical, it only stopped accounts not in LDAP
from being deactived in Davical (like a local admin account)
 2019-01-30 21:57:24 +01:00
Florian Schlichting
afcaacaf2a do_not_sync_from_ldap for groups (fixes #158) 2019-01-30 21:42:01 +01:00
Florian Schlichting
de1e994cab make the Admin role inheritable (fix #140) 2019-01-30 21:12:06 +01:00
Florian Schlichting
6627018f77 turn PHP7+ type hint into phpdoc (fixes #185) 2019-01-30 18:20:04 +01:00