better user permission check for files in ajax/calendar/

diff --git a/apps/calendar/ajax/calendar/activation.php b/apps/calendar/ajax/calendar/activation.php
index 3523590aa27df0180aaec803f183385eb3fb7f01..380db6a9437c46aae0ecc2546459d31c48f8bda5 100755 (executable)
--- a/apps/calendar/ajax/calendar/activation.php
+++ b/apps/calendar/ajax/calendar/activation.php
@@ -10,7 +10,11 @@
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
 $calendarid = $_POST['calendarid'];
-$calendar = OC_Calendar_App::getCalendar($calendarid);//access check
+$calendar = OC_Calendar_App::getCalendar($calendarid, true);
+if(!$calendar){
+       OCP\JSON::error(array('message'=>'permission denied'));
+       exit;
+}
 OC_Calendar_Calendar::setCalendarActive($calendarid, $_POST['active']);
 $calendar = OC_Calendar_App::getCalendar($calendarid);
 OCP\JSON::success(array(

diff --git a/apps/calendar/ajax/calendar/delete.php b/apps/calendar/ajax/calendar/delete.php
index a36a05346500c436b64892fb19e3257451c6548b..9e092f2df1d931d9c4cd9d32bb21db3460c8a412 100755 (executable)
--- a/apps/calendar/ajax/calendar/delete.php
+++ b/apps/calendar/ajax/calendar/delete.php
@@ -11,7 +11,11 @@ OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
 
 $cal = $_POST["calendarid"];
-$calendar = OC_Calendar_App::getCalendar($cal);
+$calendar = OC_Calendar_App::getCalendar($cal, true);
+if(!$calendar){
+       OCP\JSON::error(array('message'=>'permission denied'));
+       exit;
+}
 $del = OC_Calendar_Calendar::deleteCalendar($cal);
 if($del == true){
        OCP\JSON::success();

diff --git a/apps/calendar/ajax/calendar/edit.php b/apps/calendar/ajax/calendar/edit.php
index 77366809311ced6709508d3b0f0372eaccf2fc16..516c9f6c765c81237ad0265720708e70d346bea8 100755 (executable)
--- a/apps/calendar/ajax/calendar/edit.php
+++ b/apps/calendar/ajax/calendar/edit.php
@@ -11,7 +11,11 @@ OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
 
 $calendarcolor_options = OC_Calendar_Calendar::getCalendarColorOptions();
-$calendar = OC_Calendar_App::getCalendar($_GET['calendarid']);
+$calendar = OC_Calendar_App::getCalendar($_GET['calendarid'], true);
+if(!$calendar){
+       OCP\JSON::error(array('message'=>'permission denied'));
+       exit;
+}
 $tmpl = new OCP\Template("calendar", "part.editcalendar");
 $tmpl->assign('new', false);
 $tmpl->assign('calendarcolor_options', $calendarcolor_options);

diff --git a/apps/calendar/ajax/calendar/update.php b/apps/calendar/ajax/calendar/update.php
index 3b1cc32b3165bfc7cf2d5c4e2c9e6d3f8e5459ef..dce0027304aba8086bb16b80c1162ac205dc3bcb 100755 (executable)
--- a/apps/calendar/ajax/calendar/update.php
+++ b/apps/calendar/ajax/calendar/update.php
@@ -25,7 +25,11 @@ foreach($calendars as $cal){
 }
 
 $calendarid = $_POST['id'];
-$calendar = OC_Calendar_App::getCalendar($calendarid);//access check
+$calendar = OC_Calendar_App::getCalendar($calendarid, true);
+if(!$calendar){
+       OCP\JSON::error(array('message'=>'permission denied'));
+       exit;
+}
 OC_Calendar_Calendar::editCalendar($calendarid, strip_tags($_POST['name']), null, null, null, $_POST['color']);
 OC_Calendar_Calendar::setCalendarActive($calendarid, $_POST['active']);