nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-05-30 03:24:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,992 Commits 11 Branches 63 Tags 15 MiB
Commit Graph

2077 Commits

Author SHA1 Message Date
Piotr Filip
35641b099a refactor scripts to allow operation with Content-Security-Policy: script-src 'self' 2022-12-12 21:32:57 +00:00
ruliane
43bda7a5ba Fix error when $icfg is not set. 2022-12-12 21:13:49 +00:00
ruliane
19ec6fd2fb Fix PHP Notice: Undefined variable: body in /usr/share/davical/inc/iSchedule.php on line 435 2022-12-12 20:57:34 +00:00
Andrew Ruthven
042237b05d PHP 8.2 seems to set the timezone to UTC, always set Pacific/Auckland for testcases 
Previously the logic only set Pacific/Auckland if the date.timezone setting
on the PHP ini files wasn't set. Let's just always set it if we're processing
the test suite.
 2022-12-10 15:37:43 +13:00
Andrew Ruthven
6ad794eae6 freq_name is only used locally 
This doesn't need to be an object field.
 2022-12-10 14:37:31 +13:00
Andrew Ruthven
aab8ddfd30 Ensure that all fields are defined, not added dynamically. 
PHP 8.2 deprecates dynmically adding properties. See:
  https://php.watch/versions/8.2/dynamic-properties-deprecated
 2022-12-10 14:37:31 +13:00
Andrew Ruthven
46feee1ec7 Stop copying all fields from the Principal object. 
PHP 8.2 deprecates dynmically adding properties. See:
  https://php.watch/versions/8.2/dynamic-properties-deprecated

This arbitary copying of all fields tickles these deprecation
warnings, and just below we copy exactly the fields we need.
I reckon this loop is redundant.
 2022-12-10 02:46:37 +13:00
Andrew Ruthven
8162b9f850 Ensure that propfind for access is deterministic. 
I noticed that the ordering of principals returned wasn't deterministic
for tests. Ensure it is.
 2022-12-10 02:04:27 +13:00
Florian Schlichting
88670bfa39 release davical 1.1.11 2022-10-04 14:05:19 +02:00
Florian Schlichting
f44a996432 do not report VTODO in freebusy (fixes: #267) 
RFC 4791 clearly states in 7.10:
    Only VEVENT components without a TRANSP property or with the TRANSP
    property set to OPAQUE, and VFREEBUSY components SHOULD be considered
    in generating the free busy time information.

Looking at fa67ef987e, this used to be VFREEBUSY until the refactoring, and
0886-REPORT-freebusy.test still had that.

Apparently we're not (yet) considering VAVAILABILITY (RFC 7953) here.
 2022-10-04 08:47:53 +02:00
Andrew Ruthven
6cf8d5f81d Another attempt to make the results deterministic 2022-07-12 14:27:50 +12:00
Andrew Ruthven
26b92a864d Try and be more deterministic. 2022-06-28 23:57:18 +12:00
Andrew Ruthven
d90d85d00e Make GET on a collection deterministic. 
Turns out it was returning a sorted list based on a generated uuid, which
could be different in different regression environments. When I was
running tests locally I was always using the same initial.dbdump
file. The tests now pass even with a truely fresh regression DB.
 2022-06-28 22:47:31 +12:00
linda.fliss
e8b43e60db fixed debug injection 2022-02-18 15:55:36 +01:00
Andrew Ruthven
0913f8ca69 Fix another PHP 8.1 error 2022-02-18 23:11:50 +13:00
Andrew Ruthven
5f71ccae8b Limit results for get_include_subcollections 
Closes #231.
 2022-02-18 23:11:50 +13:00
Paul Waite
dd5bd9c282 Provide a facility for setting an override URL which will replace the Change Password UI, and the Forgotten Password UI with a clickable link. 2022-02-12 14:02:54 +00:00
Andrew Ruthven
cf0e2774f6 Fix a second time where the array might be false. 2022-02-13 01:46:44 +13:00
Raivo Hool
f42627c89f Fix iSchedule configuration with PHP 8 
Closes #252.
 2022-02-13 01:45:25 +13:00
Andrew Ruthven
8f5a1d2bcc Another fix for PHP 8.1 2022-02-13 01:34:55 +13:00
Andrew Ruthven
836c715a1c Fix the version of AWL we want. 
We do actually want 0.62.

Closes #253.
 2022-02-13 01:21:17 +13:00
Andrew Ruthven
02af0c58ee Further fixes for PHP 8.1 
I don't know why this only show up in the gitlab runners. I have PHP 8.1
locally.
 2022-02-13 01:04:47 +13:00
Andrew Ruthven
1c77febeb1 gmstrftime is deprecated in PHP 8.1 
Switch to using gmdate. One benefit is that gmdate doesn't respect
the locale, so we don't need the logic to hardcode the month
in English.
 2022-02-13 00:42:49 +13:00
Andrew Ruthven
f1a4dcee0c More fixes for PHP 8.1 2022-02-12 23:59:26 +13:00
Andrew Ruthven
5d56f6b5ea Allow "&'<> in passwords. 
We had already allowed these when changing a password, but they were
being escaped when logging in. Closes #259.
 2022-02-12 23:48:50 +13:00
Andrew Ruthven
8096807c6d Fixes for warnings in PHP 8.1 2022-02-12 23:41:28 +13:00
Andrew Ruthven
c26ad777a2 We need $privilege_names in the list of globals. 
Closes #250. Thank you to Laurent Hoareau and Jos Alsters.
 2021-09-19 02:56:19 +12:00
Piotr Filip
467a6bf890 fix: Rfc5545Duration __toString returns "P" when in_duration==0 2021-09-18 13:48:39 +00:00
Andrew Ruthven
1e5c1fd1f3 Disable the debug mode, leave extra debugging output available 2021-09-18 23:22:57 +12:00
Andrew Ruthven
19e69060b9 Enable more debugging so I can see timezone differences in CI 2021-09-18 22:15:27 +12:00
Andrew Ruthven
e4f48ddc1a For RRULE BYMONTHDAY skip expansions where the new day is not the day we expect. 
This fixes one of the issues raised in #248.
 2021-08-11 22:36:38 +12:00
Florian Schlichting
e92e981542 Listing External Calendars is part of the Administration menu and should be restricted to admins 
this could be made configurable, or lumped in with
$c->restrict_setup_to_admin, but non-admins only get here by manually
entering the URL...
 2021-02-09 01:54:32 +08:00
Florian Schlichting
202e2edd5a tighten $c->list_everyone to look for DAV::read privilege and actually block access to principals and collections 
Groups really only exist in the davical web interface, CALDAV clients
discover principals and collections based on GRANTs such as the
DAV::read privilege, so use that for the web interface as well.

Also, not listing users is nice, actually blocking access to those users
(which can be enumerated with the id GET parameter) is a lot better.
 2021-02-09 01:54:32 +08:00
Klaus M Pfeiffer
042ce5f076 add feature list_everyone (fixes #59) 2021-02-08 17:41:28 +00:00
Andrew Ruthven
ccedbd1be9 Include the UID of the card which caused us to hit the RRULE limit 
This will helpfully assist tracking down issues with recurrence rules.
 2021-02-06 20:19:03 +13:00
Florian Schlichting
b4f8f5a6c1 cardquery: ensure restriction to target collection remains in force even when we find that we need a post_filter step and thus throw away the SQL 
this ensures a sane (but still wrong) result for
carddav/2051-REPORT-carddavclient-ParamNotDefinedSome
 2021-02-05 02:01:09 +08:00
Florian Schlichting
75f62a81f6 fix PHP8 deprecation warnings: "Required parameter X follows optional parameter Y" 
Deprecated: Required parameter $username follows optional parameter $attributes in inc/drivers_ldap.php on line 190
Deprecated: Required parameter $passwd follows optional parameter $attributes in inc/drivers_ldap.php on line 190
Deprecated: Required parameter $ua_string follows optional parameter $min_age in inc/external-fetch.php on line 42

As explained in https://www.php.net/manual/en/migration80.deprecated.php,
    If a parameter with a default value is followed by a required
    parameter, the default value has no effect. This is deprecated as of
    PHP 8.0.0 and can generally be resolved by dropping the default
    value, without a change in functionality
 2021-02-03 23:25:51 +08:00
Jan Hicken
f376be164e Use brackets instead of curly braces for string offset access 
Curly braces have been deprecated in PHP 7.4 and unsupported in PHP 8.0.
 2021-02-03 14:57:57 +00:00
Piotr Filip
e98bf7b682 fix: events with recurrence rule are sometimes counted one too many times in freebusy 2021-01-25 00:08:13 +13:00
Florian Schlichting
e64fd2b868 LSID logins were removed from AWL, drop related bits in davical 2020-04-04 17:44:12 +02:00
Florian Schlichting
007bf95589 use foreach() instead of deprecated each() (fixes #190) 2019-12-06 18:21:08 +08:00
Florian Schlichting
e2c6b927c8 HTTP_REFERER will usually be unset for caldav requests, prevent "Undefined index" warnings 2019-12-06 18:17:18 +08:00
nielsvangijzen
c8a0ca4531 Fix CSRF not being checked in collection-edit.php 2019-12-06 09:30:16 +01:00
Jim Fenton
a3acb770ac release 1.1.9.1: fix XSS function lost in rebuild of always.php 2019-12-03 16:35:08 -08:00
Jim Fenton
072207e1c8 Merge branch '194-confidential-issue' 2019-12-03 14:39:40 -08:00
nielsvangijzen
1a917b30eb Addressed comments made by @puck42 2019-11-29 09:58:46 +01:00
Andrew Ruthven
d3a8771d01 Merge branch 'cprn/davical-master' 2019-11-26 23:00:09 +13:00
Andrew Ruthven
65ce5d443e Fix syntax 2019-11-26 22:51:37 +13:00
Andrew Ruthven
8e7866c550 Use a placeholder for another instance of collection_id 2019-11-26 22:24:49 +13:00
nielsvangijzen
86a8ec5302 Added CSRF to the application (took in account backwards compatibility) 
Mitigated the XSS vulnerabilities reported by HackDefense
Advisories for said vulnerabilities can be found here:
https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability
https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability
https://hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability
 2019-10-28 11:55:11 +01:00