From cb1d6f221086dfc385c352269232847ff5876c9b Mon Sep 17 00:00:00 2001 From: Jan Schneider Date: Wed, 9 Jun 2010 12:31:15 +0200 Subject: [PATCH] Don't disclose permissions if not the owner. Convert user names. --- kronolith/lib/Ajax/Application.php | 10 +++++----- kronolith/lib/Kronolith.php | 39 ++++++++++++++++++++++++++++++++++++-- 2 files changed, 42 insertions(+), 7 deletions(-) diff --git a/kronolith/lib/Ajax/Application.php b/kronolith/lib/Ajax/Application.php index 6e621fa36..224af8d9e 100644 --- a/kronolith/lib/Ajax/Application.php +++ b/kronolith/lib/Ajax/Application.php @@ -558,7 +558,7 @@ class Kronolith_Ajax_Application extends Horde_Ajax_Application_Base try { $calendar = Kronolith::addShare($info); Kronolith::readPermsForm($calendar); - $result->perms = $calendar->getPermission()->data; + $result->perms = Kronolith::permissionToJson($calendar->getPermission()); } catch (Exception $e) { $GLOBALS['notification']->push($e, 'horde.error'); return $result; @@ -575,7 +575,7 @@ class Kronolith_Ajax_Application extends Horde_Ajax_Application_Base $original_name = $calendar->get('name'); Kronolith::updateShare($calendar, $info); Kronolith::readPermsForm($calendar); - $result->perms = $calendar->getPermission()->data; + $result->perms = Kronolith::permissionToJson($calendar->getPermission()); } catch (Exception $e) { $GLOBALS['notification']->push($e, 'horde.error'); return $result; @@ -605,7 +605,7 @@ class Kronolith_Ajax_Application extends Horde_Ajax_Application_Base try { $tasklist = $GLOBALS['registry']->tasks->addTasklist($calendar['name'], $calendar['description'], $calendar['color']); Kronolith::readPermsForm($tasklist); - $result->perms = $tasklist->getPermission()->data; + $result->perms = Kronolith::permissionToJson($tasklist->getPermission()); } catch (Exception $e) { $GLOBALS['notification']->push($e, 'horde.error'); return $result; @@ -625,7 +625,7 @@ class Kronolith_Ajax_Application extends Horde_Ajax_Application_Base try { $GLOBALS['registry']->tasks->updateTasklist($calendar_id, $calendar); Kronolith::readPermsForm($tasklists[$calendar_id]); - $result->perms = $tasklists[$calendar_id]->getPermission()->data; + $result->perms = Kronolith::permissionToJson($tasklists[$calendar_id]->getPermission()); } catch (Exception $e) { $GLOBALS['notification']->push($e, 'horde.error'); return $result; @@ -739,7 +739,7 @@ class Kronolith_Ajax_Application extends Horde_Ajax_Application_Base 'fg' => Kronolith::foregroundColor($calendar), 'bg' => Kronolith::backgroundColor($calendar), 'show' => false, - 'perms' => $calendar->getPermission()->data, + 'perms' => Kronolith::permissionToJson($calendar->getPermission()), 'edit' => $calendar->hasPermission($GLOBALS['registry']->getAuth(), Horde_Perms::EDIT), 'tg' => array_values($tagger->getTags($calendar->getName(), 'calendar'))); return $result; diff --git a/kronolith/lib/Kronolith.php b/kronolith/lib/Kronolith.php index cea6e90e9..deab309c3 100644 --- a/kronolith/lib/Kronolith.php +++ b/kronolith/lib/Kronolith.php @@ -262,11 +262,13 @@ class Kronolith 'fg' => self::foregroundColor($calendar), 'bg' => self::backgroundColor($calendar), 'show' => in_array($id, $GLOBALS['display_calendars']), - 'perms' => $calendar->getPermission()->data, 'edit' => $calendar->hasPermission($GLOBALS['registry']->getAuth(), Horde_Perms::EDIT), 'sub' => $subscriptionCals . ($calendar->get('owner') ? $calendar->get('owner') : '-system-') . '/' . $calendar->getName() . '.ics', 'feed' => (string)Kronolith::feedUrl($calendar->getName()), 'tg' => array_values($tagger->getTags($calendar->getName(), 'calendar'))); + if ($owner) { + $code['conf']['calendars']['internal'][$id]['perms'] = self::permissionToJson($calendar->getPermission()); + } } } @@ -291,9 +293,11 @@ class Kronolith 'fg' => self::foregroundColor($tasklist), 'bg' => self::backgroundColor($tasklist), 'show' => in_array('tasks/' . $id, $GLOBALS['display_external_calendars']), - 'perms' => $tasklist->getPermission()->data, 'edit' => $tasklist->hasPermission($GLOBALS['registry']->getAuth(), Horde_Perms::EDIT), 'sub' => $subscriptionTasks . ($tasklist->get('owner') ? $tasklist->get('owner') : '-system-') . '/' . $tasklist->getName() . '.ics'); + if ($owner) { + $code['conf']['calendars']['tasklists']['tasks/' . $id]['perms'] = self::permissionToJson($tasklist->getPermission()); + } } } } @@ -387,6 +391,37 @@ class Kronolith } /** + * Converts a permission object to a json object. + * + * This methods filters out any permissions for the owner and converts the + * user name if necessary. + * + * @param Horde_Perms_Permission $perm A permission object. + * + * @return array A hash suitable for json. + */ + public static function permissionToJson(Horde_Perms_Permission $perm) + { + $json = $perm->data; + if (isset($json['users'])) { + $users = array(); + foreach ($json['users'] as $user => $value) { + if ($user == $GLOBALS['registry']->getAuth()) { + continue; + } + $user = $GLOBALS['registry']->convertUsername($user, false); + $users[$user] = $value; + } + if ($users) { + $json['users'] = $users; + } else { + unset($json['users']); + } + } + return $json; + } + + /** * Returns all the alarms active on a specific date. * * @param Horde_Date $date The date to check for alarms. -- 2.11.0