From 8cc5dd35e80a166bc3b6058ec300542b8c8826fc Mon Sep 17 00:00:00 2001 From: rabuzarus <> Date: Wed, 22 Jun 2016 00:39:52 +0200 Subject: [PATCH 1/4] cal export && public calendar - fix permissions --- include/event.php | 2 +- mod/cal.php | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/include/event.php b/include/event.php index befda64eb..c826511f2 100644 --- a/include/event.php +++ b/include/event.php @@ -818,7 +818,7 @@ function widget_events() { // of the profile page it should be the personal /events page. So we can use $a->user $user = ($a->data['user']['nickname'] ? $a->data['user']['nickname'] : $a->user['nickname']); - if( !(local_user() )&& !(feature_enabled($owner_uid, "export_calendar")) ) + if( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar")) ) return; return replace_macros(get_markup_template("events_aside.tpl"), array( diff --git a/mod/cal.php b/mod/cal.php index a12a65342..5dab182e7 100644 --- a/mod/cal.php +++ b/mod/cal.php @@ -153,7 +153,10 @@ function cal_content(&$a) { return; } - $sql_extra = item_permissions_sql($owner_uid,$remote_contact,$groups); + // get the permissions + $sql_perms = item_permissions_sql($owner_uid,$remote_contact,$groups); + // we only want to have the events of the profile owner + $sql_extra = " AND `event`.`cid` = 0 "; // get the tab navigation bar $tabs .= profile_tabs($a,false, $a->data['user']['nickname']); @@ -299,7 +302,7 @@ function cal_content(&$a) { return; } - if(! (feature_enabled($owner_uid, "export_calendar"))) { + if( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar"))) { notice( t('Permission denied.') . EOL); return; } From 2cac69ca86c81f492332f7b2f0fb792ba8f507db Mon Sep 17 00:00:00 2001 From: rabuzarus <> Date: Wed, 22 Jun 2016 13:50:47 +0200 Subject: [PATCH 2/4] cal export && public calendar - even better permissions testing --- include/event.php | 7 ++++++- mod/cal.php | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/include/event.php b/include/event.php index c826511f2..f2783ab36 100644 --- a/include/event.php +++ b/include/event.php @@ -818,8 +818,13 @@ function widget_events() { // of the profile page it should be the personal /events page. So we can use $a->user $user = ($a->data['user']['nickname'] ? $a->data['user']['nickname'] : $a->user['nickname']); - if( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar")) ) + // a little bit tricky permission testing because we have to respect many cases + if(!(local_user()) && !($owner_uid) // not the private events page (we don't get the $owner_uid for /events) + || (intval($owner_uid) && local_user() !== $owner_uid && !(feature_enabled($owner_uid, "export_calendar"))) // cal logged in user (test permission at foreign profile page) + || ( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar"))) // if cal && not logged in && feature is not enabled + ) { return; + } return replace_macros(get_markup_template("events_aside.tpl"), array( '$etitle' => t("Export"), diff --git a/mod/cal.php b/mod/cal.php index 5dab182e7..e2c84204b 100644 --- a/mod/cal.php +++ b/mod/cal.php @@ -302,7 +302,8 @@ function cal_content(&$a) { return; } - if( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar"))) { + // Test permissions + if( ((local_user() !== $owner_uid)) && !(feature_enabled($owner_uid, "export_calendar"))) { notice( t('Permission denied.') . EOL); return; } From 111f77ac64f954645bb4cbdbf654b14770fcb9a3 Mon Sep 17 00:00:00 2001 From: rabuzarus <> Date: Wed, 22 Jun 2016 15:06:14 +0200 Subject: [PATCH 3/4] pub calendar - add sql perms to the query (I forgot to do this) --- mod/cal.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mod/cal.php b/mod/cal.php index e2c84204b..b04c3aab4 100644 --- a/mod/cal.php +++ b/mod/cal.php @@ -156,7 +156,7 @@ function cal_content(&$a) { // get the permissions $sql_perms = item_permissions_sql($owner_uid,$remote_contact,$groups); // we only want to have the events of the profile owner - $sql_extra = " AND `event`.`cid` = 0 "; + $sql_extra = " AND `event`.`cid` = 0 " . $sql_perms; // get the tab navigation bar $tabs .= profile_tabs($a,false, $a->data['user']['nickname']); From e352458ef09a278a87d3cc3aba3021062658d2ef Mon Sep 17 00:00:00 2001 From: rabuzarus <> Date: Thu, 23 Jun 2016 10:07:13 +0200 Subject: [PATCH 4/4] pub calendar - permission clean up and docu --- include/event.php | 25 +++++++++++++++++++------ mod/cal.php | 3 ++- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/include/event.php b/include/event.php index f2783ab36..7b77ee8d6 100644 --- a/include/event.php +++ b/include/event.php @@ -818,13 +818,26 @@ function widget_events() { // of the profile page it should be the personal /events page. So we can use $a->user $user = ($a->data['user']['nickname'] ? $a->data['user']['nickname'] : $a->user['nickname']); - // a little bit tricky permission testing because we have to respect many cases - if(!(local_user()) && !($owner_uid) // not the private events page (we don't get the $owner_uid for /events) - || (intval($owner_uid) && local_user() !== $owner_uid && !(feature_enabled($owner_uid, "export_calendar"))) // cal logged in user (test permission at foreign profile page) - || ( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar"))) // if cal && not logged in && feature is not enabled - ) { + + // The permission testing is a little bit tricky because we have to respect many cases + + // It's not the private events page (we don't get the $owner_uid for /events) + if(! local_user() && ! $owner_uid) + return; + + // Cal logged in user (test permission at foreign profile page) + // If the $owner uid is available we know it is part of one of the profile pages (like /cal) + // So we have to test if if it's the own profile page of the logged in user + // or a foreign one. For foreign profile pages we need to check if the feature + // for exporting the cal is enabled (otherwise the widget would appear for logged in users + // on foreigen profile pages even if the widget is disabled) + if(intval($owner_uid) && local_user() !== $owner_uid && ! feature_enabled($owner_uid, "export_calendar")) + return; + + // If it's a kind of profile page (intval($owner_uid)) return if the user not logged in and + // export feature isn't enabled + if(intval($owner_uid) && ! local_user() && ! feature_enabled($owner_uid, "export_calendar")) return; - } return replace_macros(get_markup_template("events_aside.tpl"), array( '$etitle' => t("Export"), diff --git a/mod/cal.php b/mod/cal.php index b04c3aab4..a211a0ead 100644 --- a/mod/cal.php +++ b/mod/cal.php @@ -303,7 +303,8 @@ function cal_content(&$a) { } // Test permissions - if( ((local_user() !== $owner_uid)) && !(feature_enabled($owner_uid, "export_calendar"))) { + // Respect the export feature setting for all other /cal pages if it's not the own profile + if( ((local_user() !== $owner_uid)) && ! feature_enabled($owner_uid, "export_calendar")) { notice( t('Permission denied.') . EOL); return; }