From: Michael J. Rubinsky Date: Mon, 8 Mar 2010 17:59:14 +0000 (-0500) Subject: Enforce the requirement that only a calendar->owner or event->creator are able to... X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=b1657f1dbe216f66423bb73b88a2bd32a7cb944b;p=horde.git Enforce the requirement that only a calendar->owner or event->creator are able to tag the resource --- diff --git a/kronolith/edit.php b/kronolith/edit.php index 83c67bd67..d4ab6954a 100644 --- a/kronolith/edit.php +++ b/kronolith/edit.php @@ -20,7 +20,7 @@ function _save(&$event) $GLOBALS['notification']->push(sprintf(_("There was an error editing the event: %s"), $e->getMessage()), 'horde.error'); } $tagger = Kronolith::getTagger(); - $tagger->replaceTags($event->uid, Horde_Util::getFormData('tags')); + $tagger->replaceTags($event->uid, Horde_Util::getFormData('tags'), $event->creator); Kronolith::notifyOfResourceRejection($event); } diff --git a/kronolith/lib/Ajax/Imple/TagActions.php b/kronolith/lib/Ajax/Imple/TagActions.php index d36d28f72..c9c7fe5cd 100644 --- a/kronolith/lib/Ajax/Imple/TagActions.php +++ b/kronolith/lib/Ajax/Imple/TagActions.php @@ -49,21 +49,25 @@ class Kronolith_Ajax_Imple_TagActions extends Horde_Ajax_Imple_Base $content = array('id' => $post['resource'], 'type' => $post['type']); $tags = rawurldecode($post['tags']); - // Check perms + // Check perms only calendar owners may tag a calendar, only event + // creator can tag an event. if ($post['type'] == 'calendar') { $cal = $GLOBALS['kronolith_shares']->getShare($post['resource']); - $perm = $cal->hasPermission(Horde_Auth::getAuth(), Horde_Perms::EDIT); + $owner = $cal->get('owner'); } elseif($post['type'] == 'event') { $event = Kronolith::getDriver()->getByUID($post['resource']); - $perm = $event->hasPermission(Horde_Perms::EDIT, Horde_Auth::getAuth()); + $owner = $event->creator; } + // $owner is null for system-owned shares, so an admin has perms, + // otherwise, make sure the resource owner is the current user + $perm = empty($owner) ? Horde_Auth::isAdmin() : $owner == Horde_Auth::getAuth(); + if ($perm) { - /* Get the resource owner */ $tagger = Kronolith::getTagger(); switch ($request) { case 'add': - $tagger->tag($post['resource'], $tags, $post['type']); + $tagger->tag($post['resource'], $tags, $owner, $post['type']); break; case 'remove': $tagger->untag($post['resource'], (int)$tags, $post['type']); diff --git a/kronolith/lib/Driver/Kolab.php b/kronolith/lib/Driver/Kolab.php index 4a9c4ac74..4c84e20c0 100644 --- a/kronolith/lib/Driver/Kolab.php +++ b/kronolith/lib/Driver/Kolab.php @@ -362,9 +362,9 @@ class Kronolith_Driver_Kolab extends Kronolith_Driver /* Deal with tags */ $tagger = Kronolith::getTagger(); if (!empty($edit)) { - $tagger->replaceTags($event->uid, $event->tags, 'event'); + $tagger->replaceTags($event->uid, $event->tags, $event->creator, 'event'); } else { - $tagger->tag($event->uid, $event->tags, 'event'); + $tagger->tag($event->uid, $event->tags, $event->creator, 'event'); } /* Notify about the changed event. */ diff --git a/kronolith/lib/Driver/Sql.php b/kronolith/lib/Driver/Sql.php index ca057e1c6..643ecba28 100644 --- a/kronolith/lib/Driver/Sql.php +++ b/kronolith/lib/Driver/Sql.php @@ -570,7 +570,7 @@ class Kronolith_Driver_Sql extends Kronolith_Driver /* Update tags */ $tagger = Kronolith::getTagger(); - $tagger->replaceTags($event->uid, $event->tags, 'event'); + $tagger->replaceTags($event->uid, $event->tags, $event->creator, 'event'); /* Update Geolocation */ if ($gDriver = Kronolith::getGeoDriver()) { @@ -628,7 +628,7 @@ class Kronolith_Driver_Sql extends Kronolith_Driver /* Deal with any tags */ $tagger = Kronolith::getTagger(); - $tagger->tag($event->uid, $event->tags, 'event'); + $tagger->tag($event->uid, $event->tags, $event->creator, 'event'); /* Update Geolocation */ if ($event->geoLocation && $gDriver = Kronolith::getGeoDriver()) { @@ -747,7 +747,7 @@ class Kronolith_Driver_Sql extends Kronolith_Driver /* Remove any tags */ $tagger = Kronolith::getTagger(); - $tagger->replaceTags($event->uid, array(), 'event'); + $tagger->replaceTags($event->uid, array(), $event->creator, 'event'); /* Remove any geolocation data */ if ($gDriver = Kronolith::getGeoDriver()) { diff --git a/kronolith/lib/Kronolith.php b/kronolith/lib/Kronolith.php index 1d6e4f02e..97c758d42 100644 --- a/kronolith/lib/Kronolith.php +++ b/kronolith/lib/Kronolith.php @@ -1415,7 +1415,7 @@ class Kronolith $calendar->set('owner', null); } $tagger = self::getTagger(); - $tagger->tag($calendar->getName(), $info['tags'], 'calendar'); + $tagger->tag($calendar->getName(), $info['tags'], $calendar->get('owner'), 'calendar'); $result = $GLOBALS['kronolith_shares']->addShare($calendar); if ($result instanceof PEAR_Error) { @@ -1456,7 +1456,7 @@ class Kronolith } $tagger = self::getTagger(); - $tagger->replaceTags($calendar->getName(), $info['tags'], 'calendar'); + $tagger->replaceTags($calendar->getName(), $info['tags'], $calendar->get('owner'), 'calendar'); } /** diff --git a/kronolith/lib/Tagger.php b/kronolith/lib/Tagger.php index 3907d4335..eb72241b3 100644 --- a/kronolith/lib/Tagger.php +++ b/kronolith/lib/Tagger.php @@ -24,8 +24,9 @@ class Kronolith_Tagger protected $_tagger; /** - * Constructor - needs to instantiate the Content_Tagger object if it's not - * already present. + * Const'r + * + * @return Kronolith_Tagger */ public function __construct() { @@ -44,18 +45,19 @@ class Kronolith_Tagger * * @param string $localId The identifier of the kronolith object. * @param mixed $tags Either a single tag string or an array of tags. + * @param string $owner The tag owner (should normally be the owner of the resource). * @param string $content_type The type of object we are tagging (event/calendar). * * @return void */ - public function tag($localId, $tags, $content_type = 'event') + public function tag($localId, $tags, $owner, $content_type = 'event') { // If we don't have an array - split the string. if (!is_array($tags)) { $tags = $this->_tagger->splitTags($tags); } - $this->_tagger->tag(Horde_Auth::getAuth(), + $this->_tagger->tag($owner, array('object' => $localId, 'type' => $this->_type_ids[$content_type]), $tags); @@ -105,11 +107,12 @@ class Kronolith_Tagger * * @param string $localId The identifier for the kronolith object. * @param mixed $tags Either a tag_id, tag_name, or array of tag_ids. + * @param string $owner The tag owner - should normally be the resource owner. * @param $content_type The type of object that $localId represents. * * @return void */ - public function replaceTags($localId, $tags, $content_type = 'event') + public function replaceTags($localId, $tags, $owner, $content_type = 'event') { // First get a list of existing tags. $existing_tags = $this->getTags($localId, $content_type); @@ -122,7 +125,6 @@ class Kronolith_Tagger foreach ($existing_tags as $tag_id => $existing_tag) { $found = false; foreach ($tags as $tag_text) { - //if ($existing_tag == Horde_String::lower($tag_text, true)) { if ($existing_tag == $tag_text) { $found = true; break; @@ -149,7 +151,7 @@ class Kronolith_Tagger } } - $this->tag($localId, $add, $content_type); + $this->tag($localId, $add, $owner, $content_type); } /**