Start adding permission checks for addressbooks
This commit is contained in:
Michael Gapczynski
parent
2c5744f16c
commit
b830b3e24b
|
|
@ -208,7 +208,12 @@ class OC_Contacts_Addressbook {
|
|||
public static function edit($id,$name,$description) {
|
||||
// Need these ones for checking uri
|
||||
$addressbook = self::find($id);
|
||||
|
||||
if ($addressbook['userid'] != OCP\User::getUser()) {
|
||||
$sharedAddressbook = OCP\Share::getItemSharedWithBySource('addressbook', $id);
|
||||
if (!$sharedAddressbook || !($sharedAddressbook['permissions'] & OCP\Share::PERMISSION_UPDATE)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if(is_null($name)) {
|
||||
$name = $addressbook['name'];
|
||||
}
|
||||
|
|
@ -270,6 +275,13 @@ class OC_Contacts_Addressbook {
|
|||
* @return boolean
|
||||
*/
|
||||
public static function delete($id) {
|
||||
$addressbook = self::find($id);
|
||||
if ($addressbook['userid'] != OCP\User::getUser()) {
|
||||
$sharedAddressbook = OCP\Share::getItemSharedWithBySource('addressbook', $id);
|
||||
if (!$sharedAddressbook || !($sharedAddressbook['permissions'] & OCP\Share::PERMISSION_DELETE)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
self::setActive($id, false);
|
||||
try {
|
||||
$stmt = OCP\DB::prepare( 'DELETE FROM *PREFIX*contacts_addressbooks WHERE id = ?' );
|
||||
|
|
|
|||
|
|
@ -37,19 +37,23 @@ class OC_Contacts_App {
|
|||
)
|
||||
)
|
||||
);
|
||||
}
|
||||
else {
|
||||
OCP\Util::writeLog('contacts',
|
||||
'Addressbook('.$id.') is not from '.OCP\USER::getUser(),
|
||||
OCP\Util::ERROR);
|
||||
//throw new Exception('This is not your addressbook.');
|
||||
OCP\JSON::error(
|
||||
array(
|
||||
'data' => array(
|
||||
'message' => self::$l10n->t('This is not your addressbook.')
|
||||
} else {
|
||||
$sharedAddressbook = OCP\Share::getItemSharedWithBySource('addressbook', $id, OC_Share_Backend_Addressbook::FORMAT_ADDRESSBOOKS);
|
||||
if ($sharedAddressbook) {
|
||||
return $sharedAddressbook;
|
||||
} else {
|
||||
OCP\Util::writeLog('contacts',
|
||||
'Addressbook('.$id.') is not from '.OCP\USER::getUser(),
|
||||
OCP\Util::ERROR);
|
||||
//throw new Exception('This is not your addressbook.');
|
||||
OCP\JSON::error(
|
||||
array(
|
||||
'data' => array(
|
||||
'message' => self::$l10n->t('This is not your addressbook.')
|
||||
)
|
||||
)
|
||||
)
|
||||
);
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
return $addressbook;
|
||||
|
|
|
|||
|
|
@ -292,12 +292,26 @@ class OC_Contacts_VCard{
|
|||
OCP\Util::writeLog('contacts', 'OC_Contacts_VCard::add. No vCard supplied', OCP\Util::ERROR);
|
||||
return null;
|
||||
};
|
||||
|
||||
$addressbook = OC_Contacts_Addressbook::find($aid);
|
||||
if ($addressbook['userid'] != OCP\User::getUser()) {
|
||||
$sharedAddressbook = OCP\Share::getItemSharedWithBySource('addressbook', $aid);
|
||||
if (!$sharedAddressbook) {
|
||||
return false;
|
||||
}
|
||||
} else {
|
||||
$sharedAddressbook = false;
|
||||
}
|
||||
if(!$isnew) {
|
||||
if ($sharedAddressbook && !($sharedAddressbook['permissions'] & OCP\Share::PERMISSION_UPDATE)) {
|
||||
return false;
|
||||
}
|
||||
OC_Contacts_App::loadCategoriesFromVCard($card);
|
||||
self::updateValuesFromAdd($aid, $card);
|
||||
} else {
|
||||
if ($sharedAddressbook && !($sharedAddressbook['permissions'] & OCP\Share::PERMISSION_CREATE)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
$card->setString('VERSION', '3.0');
|
||||
// Add product ID is missing.
|
||||
$prodid = trim($card->getAsString('PRODID'));
|
||||
|
|
|
|||
|
|
@ -507,6 +507,7 @@ class Share {
|
|||
$query_args[] = $root.$item;
|
||||
} else {
|
||||
$where .= " AND item_source = ?";
|
||||
$column = 'item_source';
|
||||
$query_args[] = $item;
|
||||
}
|
||||
} else {
|
||||
|
|
|
|||
Loading…
Reference in New Issue