From 8cc5dd35e80a166bc3b6058ec300542b8c8826fc Mon Sep 17 00:00:00 2001
From: rabuzarus <>
Date: Wed, 22 Jun 2016 00:39:52 +0200
Subject: [PATCH 1/4] cal export && public calendar - fix permissions

---
 include/event.php | 2 +-
 mod/cal.php       | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/include/event.php b/include/event.php
index befda64eb1..c826511f23 100644
--- a/include/event.php
+++ b/include/event.php
@@ -818,7 +818,7 @@ function widget_events() {
 	// of the profile page it should be the personal /events page. So we can use $a->user
 	$user = ($a->data['user']['nickname'] ? $a->data['user']['nickname'] : $a->user['nickname']);
 
-	if( !(local_user() )&& !(feature_enabled($owner_uid, "export_calendar")) )
+	if( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar")) )
 		return;
 
 	return replace_macros(get_markup_template("events_aside.tpl"), array(
diff --git a/mod/cal.php b/mod/cal.php
index a12a653426..5dab182e71 100644
--- a/mod/cal.php
+++ b/mod/cal.php
@@ -153,7 +153,10 @@ function cal_content(&$a) {
 		return;
 	}
 
-	$sql_extra = item_permissions_sql($owner_uid,$remote_contact,$groups);
+	// get the permissions
+	$sql_perms = item_permissions_sql($owner_uid,$remote_contact,$groups);
+	// we only want to have the events of the profile owner
+	$sql_extra = " AND `event`.`cid` = 0 ";
 
 	// get the tab navigation bar
 	$tabs .= profile_tabs($a,false, $a->data['user']['nickname']);
@@ -299,7 +302,7 @@ function cal_content(&$a) {
 			return;
 		}
 
-		if(! (feature_enabled($owner_uid, "export_calendar"))) {
+		if( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar"))) {
 			notice( t('Permission denied.') . EOL);
 			return;
 		}

From 2cac69ca86c81f492332f7b2f0fb792ba8f507db Mon Sep 17 00:00:00 2001
From: rabuzarus <>
Date: Wed, 22 Jun 2016 13:50:47 +0200
Subject: [PATCH 2/4] cal export && public calendar - even better permissions
 testing

---
 include/event.php | 7 ++++++-
 mod/cal.php       | 3 ++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/include/event.php b/include/event.php
index c826511f23..f2783ab36e 100644
--- a/include/event.php
+++ b/include/event.php
@@ -818,8 +818,13 @@ function widget_events() {
 	// of the profile page it should be the personal /events page. So we can use $a->user
 	$user = ($a->data['user']['nickname'] ? $a->data['user']['nickname'] : $a->user['nickname']);
 
-	if( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar")) )
+	// a little bit tricky permission testing because we have to respect many cases
+	if(!(local_user()) && !($owner_uid) // not the private events page (we don't get the $owner_uid for /events)
+			|| (intval($owner_uid) && local_user() !== $owner_uid && !(feature_enabled($owner_uid, "export_calendar"))) // cal logged in user (test permission at foreign profile page)
+			|| ( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar"))) // if cal && not logged in && feature is not enabled
+		) {
 		return;
+	}
 
 	return replace_macros(get_markup_template("events_aside.tpl"), array(
 		'$etitle' => t("Export"),
diff --git a/mod/cal.php b/mod/cal.php
index 5dab182e71..e2c84204b4 100644
--- a/mod/cal.php
+++ b/mod/cal.php
@@ -302,7 +302,8 @@ function cal_content(&$a) {
 			return;
 		}
 
-		if( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar"))) {
+		// Test permissions
+		if( ((local_user() !== $owner_uid)) && !(feature_enabled($owner_uid, "export_calendar"))) {
 			notice( t('Permission denied.') . EOL);
 			return;
 		}

From 111f77ac64f954645bb4cbdbf654b14770fcb9a3 Mon Sep 17 00:00:00 2001
From: rabuzarus <>
Date: Wed, 22 Jun 2016 15:06:14 +0200
Subject: [PATCH 3/4] pub calendar - add sql perms to the query (I forgot to do
 this)

---
 mod/cal.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mod/cal.php b/mod/cal.php
index e2c84204b4..b04c3aab42 100644
--- a/mod/cal.php
+++ b/mod/cal.php
@@ -156,7 +156,7 @@ function cal_content(&$a) {
 	// get the permissions
 	$sql_perms = item_permissions_sql($owner_uid,$remote_contact,$groups);
 	// we only want to have the events of the profile owner
-	$sql_extra = " AND `event`.`cid` = 0 ";
+	$sql_extra = " AND `event`.`cid` = 0 " . $sql_perms;
 
 	// get the tab navigation bar
 	$tabs .= profile_tabs($a,false, $a->data['user']['nickname']);

From e352458ef09a278a87d3cc3aba3021062658d2ef Mon Sep 17 00:00:00 2001
From: rabuzarus <>
Date: Thu, 23 Jun 2016 10:07:13 +0200
Subject: [PATCH 4/4] pub calendar - permission clean up and docu

---
 include/event.php | 25 +++++++++++++++++++------
 mod/cal.php       |  3 ++-
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/include/event.php b/include/event.php
index f2783ab36e..7b77ee8d61 100644
--- a/include/event.php
+++ b/include/event.php
@@ -818,13 +818,26 @@ function widget_events() {
 	// of the profile page it should be the personal /events page. So we can use $a->user
 	$user = ($a->data['user']['nickname'] ? $a->data['user']['nickname'] : $a->user['nickname']);
 
-	// a little bit tricky permission testing because we have to respect many cases
-	if(!(local_user()) && !($owner_uid) // not the private events page (we don't get the $owner_uid for /events)
-			|| (intval($owner_uid) && local_user() !== $owner_uid && !(feature_enabled($owner_uid, "export_calendar"))) // cal logged in user (test permission at foreign profile page)
-			|| ( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar"))) // if cal && not logged in && feature is not enabled
-		) {
+
+	// The permission testing is a little bit tricky because we have to respect many cases
+
+	// It's not the private events page (we don't get the $owner_uid for /events)
+	if(! local_user() && ! $owner_uid)
+		return;
+
+	// Cal logged in user (test permission at foreign profile page)
+	// If the $owner uid is available we know it is part of one of the profile pages (like /cal)
+	// So we have to test if if it's the own profile page of the logged in user 
+	// or a foreign one. For foreign profile pages we need to check if the feature
+	// for exporting the cal is enabled (otherwise the widget would appear for logged in users
+	// on foreigen profile pages even if the widget is disabled)
+	if(intval($owner_uid) && local_user() !== $owner_uid && ! feature_enabled($owner_uid, "export_calendar")) 
+		return;
+
+	// If it's a kind of profile page (intval($owner_uid)) return if the user not logged in and
+	// export feature isn't enabled
+	if(intval($owner_uid) && ! local_user() && ! feature_enabled($owner_uid, "export_calendar"))
 		return;
-	}
 
 	return replace_macros(get_markup_template("events_aside.tpl"), array(
 		'$etitle' => t("Export"),
diff --git a/mod/cal.php b/mod/cal.php
index b04c3aab42..a211a0ead9 100644
--- a/mod/cal.php
+++ b/mod/cal.php
@@ -303,7 +303,8 @@ function cal_content(&$a) {
 		}
 
 		// Test permissions
-		if( ((local_user() !== $owner_uid)) && !(feature_enabled($owner_uid, "export_calendar"))) {
+		// Respect the export feature setting for all other /cal pages if it's not the own profile
+		if( ((local_user() !== $owner_uid)) && ! feature_enabled($owner_uid, "export_calendar")) {
 			notice( t('Permission denied.') . EOL);
 			return;
 		}