sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

better user permission check for files in ajax/calendar/

remotes/origin/stable4
Georg Ehrke 2012-05-14 15:59:06 +07:00
parent 84827ff992
commit 18c8896b3c
4 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/calendar/ajax/calendar/activation.php
Unescape Escape View File

@ -10,7 +10,11 @@
OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('calendar');
$calendarid = $_POST['calendarid'];
$calendar = OC_Calendar_App::getCalendar($calendarid);//access check
$calendar = OC_Calendar_App::getCalendar($calendarid, true);
if(!$calendar){
OCP\JSON::error(array('message'=>'permission denied'));
exit;
}
OC_Calendar_Calendar::setCalendarActive($calendarid, $_POST['active']);
$calendar = OC_Calendar_App::getCalendar($calendarid);
OCP\JSON::success(array(

6
apps/calendar/ajax/calendar/delete.php
Unescape Escape View File

@ -11,7 +11,11 @@ OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('calendar');
$cal = $_POST["calendarid"];
$calendar = OC_Calendar_App::getCalendar($cal);
$calendar = OC_Calendar_App::getCalendar($cal, true);
if(!$calendar){
OCP\JSON::error(array('message'=>'permission denied'));
exit;
}
$del = OC_Calendar_Calendar::deleteCalendar($cal);
if($del == true){
OCP\JSON::success();

6
apps/calendar/ajax/calendar/edit.php
Unescape Escape View File

@ -11,7 +11,11 @@ OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('calendar');
$calendarcolor_options = OC_Calendar_Calendar::getCalendarColorOptions();
$calendar = OC_Calendar_App::getCalendar($_GET['calendarid']);
$calendar = OC_Calendar_App::getCalendar($_GET['calendarid'], true);
if(!$calendar){
OCP\JSON::error(array('message'=>'permission denied'));
exit;
}
$tmpl = new OCP\Template("calendar", "part.editcalendar");
$tmpl->assign('new', false);
$tmpl->assign('calendarcolor_options', $calendarcolor_options);

6
apps/calendar/ajax/calendar/update.php
Unescape Escape View File

@ -25,7 +25,11 @@ foreach($calendars as $cal){
}
$calendarid = $_POST['id'];
$calendar = OC_Calendar_App::getCalendar($calendarid);//access check
$calendar = OC_Calendar_App::getCalendar($calendarid, true);
if(!$calendar){
OCP\JSON::error(array('message'=>'permission denied'));
exit;
}
OC_Calendar_Calendar::editCalendar($calendarid, strip_tags($_POST['name']), null, null, null, $_POST['color']);
OC_Calendar_Calendar::setCalendarActive($calendarid, $_POST['active']);