From: Georg Ehrke <dev@georgswebsite.de>
Date: Sun, 8 Apr 2012 02:37:26 +0000 (-0400)
Subject: add access check to ajax files
X-Git-Tag: v4.0.0beta~244^2~29
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=eef9a1e7ed63a3d6506afd0dbf84d16fbf8c1064;p=nextcloud-server.git

add access check to ajax files
---

diff --git a/apps/calendar/ajax/event/delete.php b/apps/calendar/ajax/event/delete.php
index 862dec6bf5b..6307e1a0f27 100644
--- a/apps/calendar/ajax/event/delete.php
+++ b/apps/calendar/ajax/event/delete.php
@@ -7,13 +7,14 @@
  */
 require_once('../../../../lib/base.php');
 
-$l10n = new OC_L10N('calendar');
-
 OC_JSON::checkLoggedIn();
 OC_JSON::checkAppEnabled('calendar');
 
 $id = $_POST['id'];
-$event_object = OC_Calendar_App::getEventObject($id);
+$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
+if($access != 'owner' && $access != 'rw'){
+	OC_JSON::error(array('message'=>'permission denied'));
+	exit;
+}
 $result = OC_Calendar_Object::delete($id);
-OC_JSON::success();
-?> 
+OC_JSON::success();
\ No newline at end of file
diff --git a/apps/calendar/ajax/event/edit.form.php b/apps/calendar/ajax/event/edit.form.php
index ab77a747f1c..a2e3fe6163f 100644
--- a/apps/calendar/ajax/event/edit.form.php
+++ b/apps/calendar/ajax/event/edit.form.php
@@ -14,15 +14,14 @@ if(!OC_USER::isLoggedIn()) {
 OC_JSON::checkAppEnabled('calendar');
 
 $id = $_GET['id'];
-$data = OC_Calendar_App::getEventObject($id);
-$object = OC_VObject::parse($data['calendardata']);
-$vevent = $object->VEVENT;
-
-$access = OC_Calendar_App::check_access($id);
-if(!$access){
+$data = OC_Calendar_App::getEventObject($id, true, true);
+if(!$data){
 	OC_JSON::error(array('data' => array('message' => self::$l10n->t('Wrong calendar'))));
 	exit;
 }
+$access = OC_Calendar_App::getaccess($id, OC_Calendar_Share::EVENT);
+$object = OC_VObject::parse($data['calendardata']);
+$vevent = $object->VEVENT;
 
 $dtstart = $vevent->DTSTART;
 $dtend = OC_Calendar_Object::getDTEndFromVEvent($vevent);
@@ -214,7 +213,7 @@ if($access == 'owner' || $access == 'rw'){
 	$tmpl = new OC_Template('calendar', 'part.showevent');
 }
 
-$tmpl->assign('id', $id);
+$tmpl->assign('eventid', $id);
 $tmpl->assign('lastmodified', $lastmodified);
 $tmpl->assign('calendar_options', $calendar_options);
 $tmpl->assign('category_options', $category_options);
diff --git a/apps/calendar/ajax/event/edit.php b/apps/calendar/ajax/event/edit.php
index 64daffddef0..8dd99b2b100 100644
--- a/apps/calendar/ajax/event/edit.php
+++ b/apps/calendar/ajax/event/edit.php
@@ -10,13 +10,20 @@ require_once('../../../../lib/base.php');
 OC_JSON::checkLoggedIn();
 OC_JSON::checkAppEnabled('calendar');
 
+$id = $_POST['id'];
+
+$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
+if($access != 'owner' && $access != 'rw'){
+	OC_JSON::error(array('message'=>'permission denied'));
+	exit;
+}
+
 $errarr = OC_Calendar_Object::validateRequest($_POST);
 if($errarr){
 	//show validate errors
 	OC_JSON::error($errarr);
 	exit;
 }else{
-	$id = $_POST['id'];
 	$cal = $_POST['calendar'];
 	$data = OC_Calendar_App::getEventObject($id);
 	$vcalendar = OC_VObject::parse($data['calendardata']);
diff --git a/apps/calendar/ajax/event/move.php b/apps/calendar/ajax/event/move.php
index 8150fdbaa32..c6743e2354f 100644
--- a/apps/calendar/ajax/event/move.php
+++ b/apps/calendar/ajax/event/move.php
@@ -9,7 +9,11 @@ require_once('../../../../lib/base.php');
 OC_JSON::checkLoggedIn();
 
 $id = $_POST['id'];
-
+$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
+if($access != 'owner' && $access != 'rw'){
+	OC_JSON::error(array('message'=>'permission denied'));
+	exit;
+}
 $vcalendar = OC_Calendar_App::getVCalendar($id);
 $vevent = $vcalendar->VEVENT;
 
@@ -17,7 +21,6 @@ $allday = $_POST['allDay'];
 $delta = new DateInterval('P0D');
 $delta->d = $_POST['dayDelta'];
 $delta->i = $_POST['minuteDelta'];
-
 OC_Calendar_App::isNotModified($vevent, $_POST['lastmodified']);
 
 $dtstart = $vevent->DTSTART;
@@ -40,4 +43,4 @@ $vevent->setDateTime('DTSTAMP', 'now', Sabre_VObject_Element_DateTime::UTC);
 
 $result = OC_Calendar_Object::edit($id, $vcalendar->serialize());
 $lastmodified = $vevent->__get('LAST-MODIFIED')->getDateTime();
-OC_JSON::success(array('lastmodified'=>(int)$lastmodified->format('U')));
+OC_JSON::success(array('lastmodified'=>(int)$lastmodified->format('U')));
\ No newline at end of file
diff --git a/apps/calendar/ajax/event/resize.php b/apps/calendar/ajax/event/resize.php
index 1136273b706..a2ae83111b8 100644
--- a/apps/calendar/ajax/event/resize.php
+++ b/apps/calendar/ajax/event/resize.php
@@ -10,8 +10,9 @@ OC_JSON::checkLoggedIn();
 
 $id = $_POST['id'];
 
-if(!OC_Calendar_Share::is_editing_allowed(OC_User::getUser(), $id, OC_Calendar_Share::EVENT) && OC_Calendar_Object::getowner($id) != OC_User::getUser()){
-	OC_JSON::error(array('message'=>'permissiondenied'));
+$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
+if($access != 'owner' && $access != 'rw'){
+	OC_JSON::error(array('message'=>'permission denied'));
 	exit;
 }