diff options
| author | Georg Ehrke <dev@georgswebsite.de> | 2012-04-07 22:37:26 -0400 |
|---|---|---|
| committer | Georg Ehrke <dev@georgswebsite.de> | 2012-04-07 22:37:26 -0400 |
| commit | eef9a1e7ed63a3d6506afd0dbf84d16fbf8c1064 (patch) | |
| tree | 495aacd95819abbfd768f0bc72901fd7ea976b27 /apps/calendar/ajax/event/move.php | |
| parent | e18c0d54f6f424614cc6e4da3beb704efaab702f (diff) | |
| download | nextcloud-server-eef9a1e7ed63a3d6506afd0dbf84d16fbf8c1064.tar.gz nextcloud-server-eef9a1e7ed63a3d6506afd0dbf84d16fbf8c1064.zip | |
add access check to ajax files
Diffstat (limited to 'apps/calendar/ajax/event/move.php')
| -rw-r--r-- | apps/calendar/ajax/event/move.php | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/apps/calendar/ajax/event/move.php b/apps/calendar/ajax/event/move.php index 8150fdbaa32..c6743e2354f 100644 --- a/apps/calendar/ajax/event/move.php +++ b/apps/calendar/ajax/event/move.php @@ -9,7 +9,11 @@ require_once('../../../../lib/base.php'); OC_JSON::checkLoggedIn(); $id = $_POST['id']; - +$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT); +if($access != 'owner' && $access != 'rw'){ + OC_JSON::error(array('message'=>'permission denied')); + exit; +} $vcalendar = OC_Calendar_App::getVCalendar($id); $vevent = $vcalendar->VEVENT; @@ -17,7 +21,6 @@ $allday = $_POST['allDay']; $delta = new DateInterval('P0D'); $delta->d = $_POST['dayDelta']; $delta->i = $_POST['minuteDelta']; - OC_Calendar_App::isNotModified($vevent, $_POST['lastmodified']); $dtstart = $vevent->DTSTART; @@ -40,4 +43,4 @@ $vevent->setDateTime('DTSTAMP', 'now', Sabre_VObject_Element_DateTime::UTC); $result = OC_Calendar_Object::edit($id, $vcalendar->serialize()); $lastmodified = $vevent->__get('LAST-MODIFIED')->getDateTime(); -OC_JSON::success(array('lastmodified'=>(int)$lastmodified->format('U'))); +OC_JSON::success(array('lastmodified'=>(int)$lastmodified->format('U')));
\ No newline at end of file |