diff options
| author | Georg Ehrke <dev@georgswebsite.de> | 2012-04-08 06:37:26 +0400 |
|---|---|---|
| committer | Georg Ehrke <dev@georgswebsite.de> | 2012-04-08 06:37:26 +0400 |
| commit | eef9a1e7ed63a3d6506afd0dbf84d16fbf8c1064 (patch) | |
| tree | 495aacd95819abbfd768f0bc72901fd7ea976b27 /apps/calendar | |
| parent | e18c0d54f6f424614cc6e4da3beb704efaab702f (diff) | |
add access check to ajax files
Diffstat (limited to 'apps/calendar')
| -rw-r--r-- | apps/calendar/ajax/event/delete.php | 11 | ||||
| -rw-r--r-- | apps/calendar/ajax/event/edit.form.php | 13 | ||||
| -rw-r--r-- | apps/calendar/ajax/event/edit.php | 9 | ||||
| -rw-r--r-- | apps/calendar/ajax/event/move.php | 9 | ||||
| -rw-r--r-- | apps/calendar/ajax/event/resize.php | 5 |
5 files changed, 29 insertions, 18 deletions
diff --git a/apps/calendar/ajax/event/delete.php b/apps/calendar/ajax/event/delete.php index 862dec6bf5b..6307e1a0f27 100644 --- a/apps/calendar/ajax/event/delete.php +++ b/apps/calendar/ajax/event/delete.php @@ -7,13 +7,14 @@ */ require_once('../../../../lib/base.php'); -$l10n = new OC_L10N('calendar'); - OC_JSON::checkLoggedIn(); OC_JSON::checkAppEnabled('calendar'); $id = $_POST['id']; -$event_object = OC_Calendar_App::getEventObject($id); +$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT); +if($access != 'owner' && $access != 'rw'){ + OC_JSON::error(array('message'=>'permission denied')); + exit; +} $result = OC_Calendar_Object::delete($id); -OC_JSON::success(); -?> +OC_JSON::success();
\ No newline at end of file diff --git a/apps/calendar/ajax/event/edit.form.php b/apps/calendar/ajax/event/edit.form.php index ab77a747f1c..a2e3fe6163f 100644 --- a/apps/calendar/ajax/event/edit.form.php +++ b/apps/calendar/ajax/event/edit.form.php @@ -14,15 +14,14 @@ if(!OC_USER::isLoggedIn()) { OC_JSON::checkAppEnabled('calendar'); $id = $_GET['id']; -$data = OC_Calendar_App::getEventObject($id); -$object = OC_VObject::parse($data['calendardata']); -$vevent = $object->VEVENT; - -$access = OC_Calendar_App::check_access($id); -if(!$access){ +$data = OC_Calendar_App::getEventObject($id, true, true); +if(!$data){ OC_JSON::error(array('data' => array('message' => self::$l10n->t('Wrong calendar')))); exit; } +$access = OC_Calendar_App::getaccess($id, OC_Calendar_Share::EVENT); +$object = OC_VObject::parse($data['calendardata']); +$vevent = $object->VEVENT; $dtstart = $vevent->DTSTART; $dtend = OC_Calendar_Object::getDTEndFromVEvent($vevent); @@ -214,7 +213,7 @@ if($access == 'owner' || $access == 'rw'){ $tmpl = new OC_Template('calendar', 'part.showevent'); } -$tmpl->assign('id', $id); +$tmpl->assign('eventid', $id); $tmpl->assign('lastmodified', $lastmodified); $tmpl->assign('calendar_options', $calendar_options); $tmpl->assign('category_options', $category_options); diff --git a/apps/calendar/ajax/event/edit.php b/apps/calendar/ajax/event/edit.php index 64daffddef0..8dd99b2b100 100644 --- a/apps/calendar/ajax/event/edit.php +++ b/apps/calendar/ajax/event/edit.php @@ -10,13 +10,20 @@ require_once('../../../../lib/base.php'); OC_JSON::checkLoggedIn(); OC_JSON::checkAppEnabled('calendar'); +$id = $_POST['id']; + +$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT); +if($access != 'owner' && $access != 'rw'){ + OC_JSON::error(array('message'=>'permission denied')); + exit; +} + $errarr = OC_Calendar_Object::validateRequest($_POST); if($errarr){ //show validate errors OC_JSON::error($errarr); exit; }else{ - $id = $_POST['id']; $cal = $_POST['calendar']; $data = OC_Calendar_App::getEventObject($id); $vcalendar = OC_VObject::parse($data['calendardata']); diff --git a/apps/calendar/ajax/event/move.php b/apps/calendar/ajax/event/move.php index 8150fdbaa32..c6743e2354f 100644 --- a/apps/calendar/ajax/event/move.php +++ b/apps/calendar/ajax/event/move.php @@ -9,7 +9,11 @@ require_once('../../../../lib/base.php'); OC_JSON::checkLoggedIn(); $id = $_POST['id']; - +$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT); +if($access != 'owner' && $access != 'rw'){ + OC_JSON::error(array('message'=>'permission denied')); + exit; +} $vcalendar = OC_Calendar_App::getVCalendar($id); $vevent = $vcalendar->VEVENT; @@ -17,7 +21,6 @@ $allday = $_POST['allDay']; $delta = new DateInterval('P0D'); $delta->d = $_POST['dayDelta']; $delta->i = $_POST['minuteDelta']; - OC_Calendar_App::isNotModified($vevent, $_POST['lastmodified']); $dtstart = $vevent->DTSTART; @@ -40,4 +43,4 @@ $vevent->setDateTime('DTSTAMP', 'now', Sabre_VObject_Element_DateTime::UTC); $result = OC_Calendar_Object::edit($id, $vcalendar->serialize()); $lastmodified = $vevent->__get('LAST-MODIFIED')->getDateTime(); -OC_JSON::success(array('lastmodified'=>(int)$lastmodified->format('U'))); +OC_JSON::success(array('lastmodified'=>(int)$lastmodified->format('U')));
\ No newline at end of file diff --git a/apps/calendar/ajax/event/resize.php b/apps/calendar/ajax/event/resize.php index 1136273b706..a2ae83111b8 100644 --- a/apps/calendar/ajax/event/resize.php +++ b/apps/calendar/ajax/event/resize.php @@ -10,8 +10,9 @@ OC_JSON::checkLoggedIn(); $id = $_POST['id']; -if(!OC_Calendar_Share::is_editing_allowed(OC_User::getUser(), $id, OC_Calendar_Share::EVENT) && OC_Calendar_Object::getowner($id) != OC_User::getUser()){ - OC_JSON::error(array('message'=>'permissiondenied')); +$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT); +if($access != 'owner' && $access != 'rw'){ + OC_JSON::error(array('message'=>'permission denied')); exit; } |