From b830b3e24b281204344e9162352c7034f0a67187 Mon Sep 17 00:00:00 2001 From: Michael Gapczynski Date: Wed, 8 Aug 2012 21:43:02 -0400 Subject: [PATCH] Start adding permission checks for addressbooks --- apps/contacts/lib/addressbook.php | 14 +++++++++++++- apps/contacts/lib/app.php | 28 ++++++++++++++++------------ apps/contacts/lib/vcard.php | 18 ++++++++++++++++-- lib/public/share.php | 1 + 4 files changed, 46 insertions(+), 15 deletions(-) diff --git a/apps/contacts/lib/addressbook.php b/apps/contacts/lib/addressbook.php index a81b1f7798..92c5f4da3a 100644 --- a/apps/contacts/lib/addressbook.php +++ b/apps/contacts/lib/addressbook.php @@ -208,7 +208,12 @@ class OC_Contacts_Addressbook { public static function edit($id,$name,$description) { // Need these ones for checking uri $addressbook = self::find($id); - + if ($addressbook['userid'] != OCP\User::getUser()) { + $sharedAddressbook = OCP\Share::getItemSharedWithBySource('addressbook', $id); + if (!$sharedAddressbook || !($sharedAddressbook['permissions'] & OCP\Share::PERMISSION_UPDATE)) { + return false; + } + } if(is_null($name)) { $name = $addressbook['name']; } @@ -270,6 +275,13 @@ class OC_Contacts_Addressbook { * @return boolean */ public static function delete($id) { + $addressbook = self::find($id); + if ($addressbook['userid'] != OCP\User::getUser()) { + $sharedAddressbook = OCP\Share::getItemSharedWithBySource('addressbook', $id); + if (!$sharedAddressbook || !($sharedAddressbook['permissions'] & OCP\Share::PERMISSION_DELETE)) { + return false; + } + } self::setActive($id, false); try { $stmt = OCP\DB::prepare( 'DELETE FROM *PREFIX*contacts_addressbooks WHERE id = ?' ); diff --git a/apps/contacts/lib/app.php b/apps/contacts/lib/app.php index 855a9c7416..e8d9abac41 100644 --- a/apps/contacts/lib/app.php +++ b/apps/contacts/lib/app.php @@ -37,19 +37,23 @@ class OC_Contacts_App { ) ) ); - } - else { - OCP\Util::writeLog('contacts', - 'Addressbook('.$id.') is not from '.OCP\USER::getUser(), - OCP\Util::ERROR); - //throw new Exception('This is not your addressbook.'); - OCP\JSON::error( - array( - 'data' => array( - 'message' => self::$l10n->t('This is not your addressbook.') + } else { + $sharedAddressbook = OCP\Share::getItemSharedWithBySource('addressbook', $id, OC_Share_Backend_Addressbook::FORMAT_ADDRESSBOOKS); + if ($sharedAddressbook) { + return $sharedAddressbook; + } else { + OCP\Util::writeLog('contacts', + 'Addressbook('.$id.') is not from '.OCP\USER::getUser(), + OCP\Util::ERROR); + //throw new Exception('This is not your addressbook.'); + OCP\JSON::error( + array( + 'data' => array( + 'message' => self::$l10n->t('This is not your addressbook.') + ) ) - ) - ); + ); + } } } return $addressbook; diff --git a/apps/contacts/lib/vcard.php b/apps/contacts/lib/vcard.php index 990e790c03..a93ca399d3 100644 --- a/apps/contacts/lib/vcard.php +++ b/apps/contacts/lib/vcard.php @@ -292,12 +292,26 @@ class OC_Contacts_VCard{ OCP\Util::writeLog('contacts', 'OC_Contacts_VCard::add. No vCard supplied', OCP\Util::ERROR); return null; }; - + $addressbook = OC_Contacts_Addressbook::find($aid); + if ($addressbook['userid'] != OCP\User::getUser()) { + $sharedAddressbook = OCP\Share::getItemSharedWithBySource('addressbook', $aid); + if (!$sharedAddressbook) { + return false; + } + } else { + $sharedAddressbook = false; + } if(!$isnew) { + if ($sharedAddressbook && !($sharedAddressbook['permissions'] & OCP\Share::PERMISSION_UPDATE)) { + return false; + } OC_Contacts_App::loadCategoriesFromVCard($card); self::updateValuesFromAdd($aid, $card); + } else { + if ($sharedAddressbook && !($sharedAddressbook['permissions'] & OCP\Share::PERMISSION_CREATE)) { + return false; + } } - $card->setString('VERSION', '3.0'); // Add product ID is missing. $prodid = trim($card->getAsString('PRODID')); diff --git a/lib/public/share.php b/lib/public/share.php index 113f55a348..bda2441b45 100644 --- a/lib/public/share.php +++ b/lib/public/share.php @@ -507,6 +507,7 @@ class Share { $query_args[] = $root.$item; } else { $where .= " AND item_source = ?"; + $column = 'item_source'; $query_args[] = $item; } } else {