diff --git a/include/event.php b/include/event.php index befda64eb..7b77ee8d6 100644 --- a/include/event.php +++ b/include/event.php @@ -818,7 +818,25 @@ function widget_events() { // of the profile page it should be the personal /events page. So we can use $a->user $user = ($a->data['user']['nickname'] ? $a->data['user']['nickname'] : $a->user['nickname']); - if( !(local_user() )&& !(feature_enabled($owner_uid, "export_calendar")) ) + + // The permission testing is a little bit tricky because we have to respect many cases + + // It's not the private events page (we don't get the $owner_uid for /events) + if(! local_user() && ! $owner_uid) + return; + + // Cal logged in user (test permission at foreign profile page) + // If the $owner uid is available we know it is part of one of the profile pages (like /cal) + // So we have to test if if it's the own profile page of the logged in user + // or a foreign one. For foreign profile pages we need to check if the feature + // for exporting the cal is enabled (otherwise the widget would appear for logged in users + // on foreigen profile pages even if the widget is disabled) + if(intval($owner_uid) && local_user() !== $owner_uid && ! feature_enabled($owner_uid, "export_calendar")) + return; + + // If it's a kind of profile page (intval($owner_uid)) return if the user not logged in and + // export feature isn't enabled + if(intval($owner_uid) && ! local_user() && ! feature_enabled($owner_uid, "export_calendar")) return; return replace_macros(get_markup_template("events_aside.tpl"), array( diff --git a/mod/cal.php b/mod/cal.php index a12a65342..a211a0ead 100644 --- a/mod/cal.php +++ b/mod/cal.php @@ -153,7 +153,10 @@ function cal_content(&$a) { return; } - $sql_extra = item_permissions_sql($owner_uid,$remote_contact,$groups); + // get the permissions + $sql_perms = item_permissions_sql($owner_uid,$remote_contact,$groups); + // we only want to have the events of the profile owner + $sql_extra = " AND `event`.`cid` = 0 " . $sql_perms; // get the tab navigation bar $tabs .= profile_tabs($a,false, $a->data['user']['nickname']); @@ -299,7 +302,9 @@ function cal_content(&$a) { return; } - if(! (feature_enabled($owner_uid, "export_calendar"))) { + // Test permissions + // Respect the export feature setting for all other /cal pages if it's not the own profile + if( ((local_user() !== $owner_uid)) && ! feature_enabled($owner_uid, "export_calendar")) { notice( t('Permission denied.') . EOL); return; }