Don't disclose permissions if not the owner. Convert user names.

diff --git a/kronolith/lib/Ajax/Application.php b/kronolith/lib/Ajax/Application.php
index 6e621fa..224af8d 100644 (file)
--- a/kronolith/lib/Ajax/Application.php
+++ b/kronolith/lib/Ajax/Application.php
@@ -558,7 +558,7 @@ class Kronolith_Ajax_Application extends Horde_Ajax_Application_Base
                 try {
                     $calendar = Kronolith::addShare($info);
                     Kronolith::readPermsForm($calendar);
-                    $result->perms = $calendar->getPermission()->data;
+                    $result->perms = Kronolith::permissionToJson($calendar->getPermission());
                 } catch (Exception $e) {
                     $GLOBALS['notification']->push($e, 'horde.error');
                     return $result;
@@ -575,7 +575,7 @@ class Kronolith_Ajax_Application extends Horde_Ajax_Application_Base
                 $original_name = $calendar->get('name');
                 Kronolith::updateShare($calendar, $info);
                 Kronolith::readPermsForm($calendar);
-                $result->perms = $calendar->getPermission()->data;
+                $result->perms = Kronolith::permissionToJson($calendar->getPermission());
             } catch (Exception $e) {
                 $GLOBALS['notification']->push($e, 'horde.error');
                 return $result;
@@ -605,7 +605,7 @@ class Kronolith_Ajax_Application extends Horde_Ajax_Application_Base
                 try {
                     $tasklist = $GLOBALS['registry']->tasks->addTasklist($calendar['name'], $calendar['description'], $calendar['color']);
                     Kronolith::readPermsForm($tasklist);
-                    $result->perms = $tasklist->getPermission()->data;
+                    $result->perms = Kronolith::permissionToJson($tasklist->getPermission());
                 } catch (Exception $e) {
                     $GLOBALS['notification']->push($e, 'horde.error');
                     return $result;
@@ -625,7 +625,7 @@ class Kronolith_Ajax_Application extends Horde_Ajax_Application_Base
             try {
                 $GLOBALS['registry']->tasks->updateTasklist($calendar_id, $calendar);
                 Kronolith::readPermsForm($tasklists[$calendar_id]);
-                $result->perms = $tasklists[$calendar_id]->getPermission()->data;
+                $result->perms = Kronolith::permissionToJson($tasklists[$calendar_id]->getPermission());
             } catch (Exception $e) {
                 $GLOBALS['notification']->push($e, 'horde.error');
                 return $result;
@@ -739,7 +739,7 @@ class Kronolith_Ajax_Application extends Horde_Ajax_Application_Base
             'fg' => Kronolith::foregroundColor($calendar),
             'bg' => Kronolith::backgroundColor($calendar),
             'show' => false,
-            'perms' => $calendar->getPermission()->data,
+            'perms' => Kronolith::permissionToJson($calendar->getPermission()),
             'edit' => $calendar->hasPermission($GLOBALS['registry']->getAuth(), Horde_Perms::EDIT),
             'tg' => array_values($tagger->getTags($calendar->getName(), 'calendar')));
         return $result;

diff --git a/kronolith/lib/Kronolith.php b/kronolith/lib/Kronolith.php
index cea6e90..deab309 100644 (file)
--- a/kronolith/lib/Kronolith.php
+++ b/kronolith/lib/Kronolith.php
@@ -262,11 +262,13 @@ class Kronolith
                         'fg' => self::foregroundColor($calendar),
                         'bg' => self::backgroundColor($calendar),
                         'show' => in_array($id, $GLOBALS['display_calendars']),
-                        'perms' => $calendar->getPermission()->data,
                         'edit' => $calendar->hasPermission($GLOBALS['registry']->getAuth(), Horde_Perms::EDIT),
                         'sub' => $subscriptionCals . ($calendar->get('owner') ? $calendar->get('owner') : '-system-') . '/' . $calendar->getName() . '.ics',
                         'feed' => (string)Kronolith::feedUrl($calendar->getName()),
                         'tg' => array_values($tagger->getTags($calendar->getName(), 'calendar')));
+                    if ($owner) {
+                        $code['conf']['calendars']['internal'][$id]['perms'] = self::permissionToJson($calendar->getPermission());
+                    }
                 }
             }
 
@@ -291,9 +293,11 @@ class Kronolith
                         'fg' => self::foregroundColor($tasklist),
                         'bg' => self::backgroundColor($tasklist),
                         'show' => in_array('tasks/' . $id, $GLOBALS['display_external_calendars']),
-                        'perms' => $tasklist->getPermission()->data,
                         'edit' => $tasklist->hasPermission($GLOBALS['registry']->getAuth(), Horde_Perms::EDIT),
                         'sub' => $subscriptionTasks . ($tasklist->get('owner') ? $tasklist->get('owner') : '-system-') . '/' . $tasklist->getName() . '.ics');
+                    if ($owner) {
+                        $code['conf']['calendars']['tasklists']['tasks/' . $id]['perms'] = self::permissionToJson($tasklist->getPermission());
+                    }
                 }
             }
         }
@@ -387,6 +391,37 @@ class Kronolith
     }
 
     /**
+     * Converts a permission object to a json object.
+     *
+     * This methods filters out any permissions for the owner and converts the
+     * user name if necessary.
+     *
+     * @param Horde_Perms_Permission $perm  A permission object.
+     *
+     * @return array  A hash suitable for json.
+     */
+    public static function permissionToJson(Horde_Perms_Permission $perm)
+    {
+        $json = $perm->data;
+        if (isset($json['users'])) {
+            $users = array();
+            foreach ($json['users'] as $user => $value) {
+                if ($user == $GLOBALS['registry']->getAuth()) {
+                    continue;
+                }
+                $user = $GLOBALS['registry']->convertUsername($user, false);
+                $users[$user] = $value;
+            }
+            if ($users) {
+                $json['users'] = $users;
+            } else {
+                unset($json['users']);
+            }
+        }
+        return $json;
+    }
+
+    /**
      * Returns all the alarms active on a specific date.
      *
      * @param Horde_Date $date    The date to check for alarms.