add access check to ajax files

This commit is contained in:
Georg Ehrke 2012-04-07 22:37:26 -04:00
parent e18c0d54f6
commit eef9a1e7ed
5 changed files with 29 additions and 18 deletions

View File

@ -7,13 +7,14 @@
*/
require_once('../../../../lib/base.php');
$l10n = new OC_L10N('calendar');
OC_JSON::checkLoggedIn();
OC_JSON::checkAppEnabled('calendar');
$id = $_POST['id'];
$event_object = OC_Calendar_App::getEventObject($id);
$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
if($access != 'owner' && $access != 'rw'){
OC_JSON::error(array('message'=>'permission denied'));
exit;
}
$result = OC_Calendar_Object::delete($id);
OC_JSON::success();
?>

View File

@ -14,15 +14,14 @@ if(!OC_USER::isLoggedIn()) {
OC_JSON::checkAppEnabled('calendar');
$id = $_GET['id'];
$data = OC_Calendar_App::getEventObject($id);
$object = OC_VObject::parse($data['calendardata']);
$vevent = $object->VEVENT;
$access = OC_Calendar_App::check_access($id);
if(!$access){
$data = OC_Calendar_App::getEventObject($id, true, true);
if(!$data){
OC_JSON::error(array('data' => array('message' => self::$l10n->t('Wrong calendar'))));
exit;
}
$access = OC_Calendar_App::getaccess($id, OC_Calendar_Share::EVENT);
$object = OC_VObject::parse($data['calendardata']);
$vevent = $object->VEVENT;
$dtstart = $vevent->DTSTART;
$dtend = OC_Calendar_Object::getDTEndFromVEvent($vevent);
@ -214,7 +213,7 @@ if($access == 'owner' || $access == 'rw'){
$tmpl = new OC_Template('calendar', 'part.showevent');
}
$tmpl->assign('id', $id);
$tmpl->assign('eventid', $id);
$tmpl->assign('lastmodified', $lastmodified);
$tmpl->assign('calendar_options', $calendar_options);
$tmpl->assign('category_options', $category_options);

View File

@ -10,13 +10,20 @@ require_once('../../../../lib/base.php');
OC_JSON::checkLoggedIn();
OC_JSON::checkAppEnabled('calendar');
$id = $_POST['id'];
$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
if($access != 'owner' && $access != 'rw'){
OC_JSON::error(array('message'=>'permission denied'));
exit;
}
$errarr = OC_Calendar_Object::validateRequest($_POST);
if($errarr){
//show validate errors
OC_JSON::error($errarr);
exit;
}else{
$id = $_POST['id'];
$cal = $_POST['calendar'];
$data = OC_Calendar_App::getEventObject($id);
$vcalendar = OC_VObject::parse($data['calendardata']);

View File

@ -9,7 +9,11 @@ require_once('../../../../lib/base.php');
OC_JSON::checkLoggedIn();
$id = $_POST['id'];
$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
if($access != 'owner' && $access != 'rw'){
OC_JSON::error(array('message'=>'permission denied'));
exit;
}
$vcalendar = OC_Calendar_App::getVCalendar($id);
$vevent = $vcalendar->VEVENT;
@ -17,7 +21,6 @@ $allday = $_POST['allDay'];
$delta = new DateInterval('P0D');
$delta->d = $_POST['dayDelta'];
$delta->i = $_POST['minuteDelta'];
OC_Calendar_App::isNotModified($vevent, $_POST['lastmodified']);
$dtstart = $vevent->DTSTART;

View File

@ -10,7 +10,8 @@ OC_JSON::checkLoggedIn();
$id = $_POST['id'];
if(!OC_Calendar_Share::is_editing_allowed(OC_User::getUser(), $id, OC_Calendar_Share::EVENT) && OC_Calendar_Object::getowner($id) != OC_User::getUser()){
$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
if($access != 'owner' && $access != 'rw'){
OC_JSON::error(array('message'=>'permission denied'));
exit;
}