Merge pull request #2631 from rabuzarus/1906-event-test
cal export && public calendar - fix permissions
This commit is contained in:
commit
eabf8734a8
2 changed files with 26 additions and 3 deletions
|
@ -818,7 +818,25 @@ function widget_events() {
|
||||||
// of the profile page it should be the personal /events page. So we can use $a->user
|
// of the profile page it should be the personal /events page. So we can use $a->user
|
||||||
$user = ($a->data['user']['nickname'] ? $a->data['user']['nickname'] : $a->user['nickname']);
|
$user = ($a->data['user']['nickname'] ? $a->data['user']['nickname'] : $a->user['nickname']);
|
||||||
|
|
||||||
if( !(local_user() )&& !(feature_enabled($owner_uid, "export_calendar")) )
|
|
||||||
|
// The permission testing is a little bit tricky because we have to respect many cases
|
||||||
|
|
||||||
|
// It's not the private events page (we don't get the $owner_uid for /events)
|
||||||
|
if(! local_user() && ! $owner_uid)
|
||||||
|
return;
|
||||||
|
|
||||||
|
// Cal logged in user (test permission at foreign profile page)
|
||||||
|
// If the $owner uid is available we know it is part of one of the profile pages (like /cal)
|
||||||
|
// So we have to test if if it's the own profile page of the logged in user
|
||||||
|
// or a foreign one. For foreign profile pages we need to check if the feature
|
||||||
|
// for exporting the cal is enabled (otherwise the widget would appear for logged in users
|
||||||
|
// on foreigen profile pages even if the widget is disabled)
|
||||||
|
if(intval($owner_uid) && local_user() !== $owner_uid && ! feature_enabled($owner_uid, "export_calendar"))
|
||||||
|
return;
|
||||||
|
|
||||||
|
// If it's a kind of profile page (intval($owner_uid)) return if the user not logged in and
|
||||||
|
// export feature isn't enabled
|
||||||
|
if(intval($owner_uid) && ! local_user() && ! feature_enabled($owner_uid, "export_calendar"))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
return replace_macros(get_markup_template("events_aside.tpl"), array(
|
return replace_macros(get_markup_template("events_aside.tpl"), array(
|
||||||
|
|
|
@ -153,7 +153,10 @@ function cal_content(&$a) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
$sql_extra = item_permissions_sql($owner_uid,$remote_contact,$groups);
|
// get the permissions
|
||||||
|
$sql_perms = item_permissions_sql($owner_uid,$remote_contact,$groups);
|
||||||
|
// we only want to have the events of the profile owner
|
||||||
|
$sql_extra = " AND `event`.`cid` = 0 " . $sql_perms;
|
||||||
|
|
||||||
// get the tab navigation bar
|
// get the tab navigation bar
|
||||||
$tabs .= profile_tabs($a,false, $a->data['user']['nickname']);
|
$tabs .= profile_tabs($a,false, $a->data['user']['nickname']);
|
||||||
|
@ -299,7 +302,9 @@ function cal_content(&$a) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(! (feature_enabled($owner_uid, "export_calendar"))) {
|
// Test permissions
|
||||||
|
// Respect the export feature setting for all other /cal pages if it's not the own profile
|
||||||
|
if( ((local_user() !== $owner_uid)) && ! feature_enabled($owner_uid, "export_calendar")) {
|
||||||
notice( t('Permission denied.') . EOL);
|
notice( t('Permission denied.') . EOL);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue