diff options
| author | Christoph Wurst <christoph@winzerhof-wurst.at> | 2023-05-24 22:27:51 +0200 |
|---|---|---|
| committer | Christoph Wurst <christoph@winzerhof-wurst.at> | 2023-05-25 12:26:26 +0200 |
| commit | e524631ce3188ecaa16f83874a632f3702376e65 (patch) | |
| tree | b64cf7587a4535142a2d0744aa0470c893451e82 /apps/dav/lib | |
| parent | b6d734375478c791a146e2ec5ad61ac1a699e436 (diff) | |
| download | nextcloud-server-e524631ce3188ecaa16f83874a632f3702376e65.tar.gz nextcloud-server-e524631ce3188ecaa16f83874a632f3702376e65.zip | |
fix(carddav): Don't show system address book cards to guests
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Diffstat (limited to 'apps/dav/lib')
| -rw-r--r-- | apps/dav/lib/CardDAV/SystemAddressbook.php | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/apps/dav/lib/CardDAV/SystemAddressbook.php b/apps/dav/lib/CardDAV/SystemAddressbook.php index 48ec533353a..1cffde63474 100644 --- a/apps/dav/lib/CardDAV/SystemAddressbook.php +++ b/apps/dav/lib/CardDAV/SystemAddressbook.php @@ -92,7 +92,7 @@ class SystemAddressbook extends AddressBook { // Should never happen because we don't allow anonymous access return []; } - if (!$shareEnumeration || (!$shareEnumerationGroup && $shareEnumerationPhone)) { + if ($user->getBackendClassName() === 'Guests' || !$shareEnumeration || (!$shareEnumerationGroup && $shareEnumerationPhone)) { $name = SyncService::getCardUri($user); try { return [parent::getChild($name)]; @@ -135,8 +135,8 @@ class SystemAddressbook extends AddressBook { $shareEnumeration = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes'; $shareEnumerationGroup = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_group', 'no') === 'yes'; $shareEnumerationPhone = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_phone', 'no') === 'yes'; - if (!$shareEnumeration || (!$shareEnumerationGroup && $shareEnumerationPhone)) { - $user = $this->userSession->getUser(); + $user = $this->userSession->getUser(); + if (($user !== null && $user->getBackendClassName() === 'Guests') || !$shareEnumeration || (!$shareEnumerationGroup && $shareEnumerationPhone)) { // No user or cards with no access if ($user === null || !in_array(SyncService::getCardUri($user), $paths, true)) { return []; @@ -149,7 +149,6 @@ class SystemAddressbook extends AddressBook { } } if ($shareEnumerationGroup) { - $user = $this->userSession->getUser(); if ($this->groupManager === null || $user === null) { // Group manager or user is not available, so we can't determine which data is safe return []; @@ -196,19 +195,18 @@ class SystemAddressbook extends AddressBook { * @throws Forbidden */ public function getChild($name): Card { + $user = $this->userSession->getUser(); $shareEnumeration = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes'; $shareEnumerationGroup = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_group', 'no') === 'yes'; $shareEnumerationPhone = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_phone', 'no') === 'yes'; - if (!$shareEnumeration || (!$shareEnumerationGroup && $shareEnumerationPhone)) { - $currentUser = $this->userSession->getUser(); - $ownName = $currentUser !== null ? SyncService::getCardUri($currentUser) : null; + if (($user !== null && $user->getBackendClassName() === 'Guests') || !$shareEnumeration || (!$shareEnumerationGroup && $shareEnumerationPhone)) { + $ownName = $user !== null ? SyncService::getCardUri($user) : null; if ($ownName === $name) { return parent::getChild($name); } throw new Forbidden(); } if ($shareEnumerationGroup) { - $user = $this->userSession->getUser(); if ($user === null || $this->groupManager === null) { // Group manager is not available, so we can't determine which data is safe throw new Forbidden(); |