Start adding permission checks for addressbooks

4 files changed, 46 insertions, 15 deletions

diff --git a/apps/contacts/lib/addressbook.php b/apps/contacts/lib/addressbook.php
index a81b1f77985..92c5f4da3a7 100644
--- a/apps/contacts/lib/addressbook.php
+++ b/apps/contacts/lib/addressbook.php
@@ -208,7 +208,12 @@ class OC_Contacts_Addressbook {
 	public static function edit($id,$name,$description) {
 		// Need these ones for checking uri
 		$addressbook = self::find($id);
-
+		if ($addressbook['userid'] != OCP\User::getUser()) {
+			$sharedAddressbook = OCP\Share::getItemSharedWithBySource('addressbook', $id);
+			if (!$sharedAddressbook || !($sharedAddressbook['permissions'] & OCP\Share::PERMISSION_UPDATE)) {
+				return false;
+			}
+		}
 		if(is_null($name)) {
 			$name = $addressbook['name'];
 		}
@@ -270,6 +275,13 @@ class OC_Contacts_Addressbook {
 	 * @return boolean
 	 */
 	public static function delete($id) {
+		$addressbook = self::find($id);
+		if ($addressbook['userid'] != OCP\User::getUser()) {
+			$sharedAddressbook = OCP\Share::getItemSharedWithBySource('addressbook', $id);
+			if (!$sharedAddressbook || !($sharedAddressbook['permissions'] & OCP\Share::PERMISSION_DELETE)) {
+				return false;
+			}
+		}
 		self::setActive($id, false);
 		try {
 			$stmt = OCP\DB::prepare( 'DELETE FROM *PREFIX*contacts_addressbooks WHERE id = ?' );
diff --git a/apps/contacts/lib/app.php b/apps/contacts/lib/app.php
index 855a9c74160..e8d9abac417 100644
--- a/apps/contacts/lib/app.php
+++ b/apps/contacts/lib/app.php
@@ -37,19 +37,23 @@ class OC_Contacts_App {
 						)
 					)
 				);
-			}
-			else {
-				OCP\Util::writeLog('contacts',
-					'Addressbook('.$id.') is not from '.OCP\USER::getUser(),
-					OCP\Util::ERROR);
-				//throw new Exception('This is not your addressbook.');
-				OCP\JSON::error(
-					array(
-						'data' => array(
-							'message' => self::$l10n->t('This is not your addressbook.')
+			} else {
+				$sharedAddressbook = OCP\Share::getItemSharedWithBySource('addressbook', $id, OC_Share_Backend_Addressbook::FORMAT_ADDRESSBOOKS);
+				if ($sharedAddressbook) {
+					return $sharedAddressbook;
+				} else {
+					OCP\Util::writeLog('contacts',
+						'Addressbook('.$id.') is not from '.OCP\USER::getUser(),
+						OCP\Util::ERROR);
+					//throw new Exception('This is not your addressbook.');
+					OCP\JSON::error(
+						array(
+							'data' => array(
+								'message' => self::$l10n->t('This is not your addressbook.')
+							)
 						)
-					)
-				);
+					);
+				}
 			}
 		}
 		return $addressbook;
diff --git a/apps/contacts/lib/vcard.php b/apps/contacts/lib/vcard.php
index 990e790c035..a93ca399d3a 100644
--- a/apps/contacts/lib/vcard.php
+++ b/apps/contacts/lib/vcard.php
@@ -292,12 +292,26 @@ class OC_Contacts_VCard{
 			OCP\Util::writeLog('contacts', 'OC_Contacts_VCard::add. No vCard supplied', OCP\Util::ERROR);
 			return null;
 		};
-
+		$addressbook = OC_Contacts_Addressbook::find($aid);
+		if ($addressbook['userid'] != OCP\User::getUser()) {
+			$sharedAddressbook = OCP\Share::getItemSharedWithBySource('addressbook', $aid);
+			if (!$sharedAddressbook) {
+				return false;
+			}
+		} else {
+			$sharedAddressbook = false;
+		}
 		if(!$isnew) {
+			if ($sharedAddressbook && !($sharedAddressbook['permissions'] & OCP\Share::PERMISSION_UPDATE)) {
+				return false;
+			}
 			OC_Contacts_App::loadCategoriesFromVCard($card);
 			self::updateValuesFromAdd($aid, $card);
+		} else {
+			if ($sharedAddressbook && !($sharedAddressbook['permissions'] & OCP\Share::PERMISSION_CREATE)) {
+				return false;
+			}
 		}
-
 		$card->setString('VERSION', '3.0');
 		// Add product ID is missing.
 		$prodid = trim($card->getAsString('PRODID'));
diff --git a/lib/public/share.php b/lib/public/share.php
index 113f55a3480..bda2441b45e 100644
--- a/lib/public/share.php
+++ b/lib/public/share.php
@@ -507,6 +507,7 @@ class Share {
 					$query_args[] = $root.$item;
 				} else {
 					$where .= " AND item_source = ?";
+					$column = 'item_source';
 					$query_args[] = $item;
 				}
 			} else {