From 2cac69ca86c81f492332f7b2f0fb792ba8f507db Mon Sep 17 00:00:00 2001 From: rabuzarus <> Date: Wed, 22 Jun 2016 13:50:47 +0200 Subject: [PATCH] cal export && public calendar - even better permissions testing --- include/event.php | 7 ++++++- mod/cal.php | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/include/event.php b/include/event.php index c826511f2..f2783ab36 100644 --- a/include/event.php +++ b/include/event.php @@ -818,8 +818,13 @@ function widget_events() { // of the profile page it should be the personal /events page. So we can use $a->user $user = ($a->data['user']['nickname'] ? $a->data['user']['nickname'] : $a->user['nickname']); - if( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar")) ) + // a little bit tricky permission testing because we have to respect many cases + if(!(local_user()) && !($owner_uid) // not the private events page (we don't get the $owner_uid for /events) + || (intval($owner_uid) && local_user() !== $owner_uid && !(feature_enabled($owner_uid, "export_calendar"))) // cal logged in user (test permission at foreign profile page) + || ( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar"))) // if cal && not logged in && feature is not enabled + ) { return; + } return replace_macros(get_markup_template("events_aside.tpl"), array( '$etitle' => t("Export"), diff --git a/mod/cal.php b/mod/cal.php index 5dab182e7..e2c84204b 100644 --- a/mod/cal.php +++ b/mod/cal.php @@ -302,7 +302,8 @@ function cal_content(&$a) { return; } - if( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar"))) { + // Test permissions + if( ((local_user() !== $owner_uid)) && !(feature_enabled($owner_uid, "export_calendar"))) { notice( t('Permission denied.') . EOL); return; }