diff options
| author | Georg Ehrke <dev@georgswebsite.de> | 2012-05-14 15:59:06 +0200 |
|---|---|---|
| committer | Georg Ehrke <dev@georgswebsite.de> | 2012-05-14 15:59:06 +0200 |
| commit | 18c8896b3c27ca1419ddf6e79cb296d51db3c201 (patch) | |
| tree | b74f8a2781b83d9c7f1dbe72af7a347626b03bd7 /apps | |
| parent | 84827ff992eb164d201e3d7081f9d8561711723a (diff) | |
| download | nextcloud-server-18c8896b3c27ca1419ddf6e79cb296d51db3c201.tar.gz nextcloud-server-18c8896b3c27ca1419ddf6e79cb296d51db3c201.zip | |
better user permission check for files in ajax/calendar/
Diffstat (limited to 'apps')
| -rwxr-xr-x | apps/calendar/ajax/calendar/activation.php | 6 | ||||
| -rwxr-xr-x | apps/calendar/ajax/calendar/delete.php | 6 | ||||
| -rwxr-xr-x | apps/calendar/ajax/calendar/edit.php | 6 | ||||
| -rwxr-xr-x | apps/calendar/ajax/calendar/update.php | 6 |
4 files changed, 20 insertions, 4 deletions
diff --git a/apps/calendar/ajax/calendar/activation.php b/apps/calendar/ajax/calendar/activation.php index 3523590aa27..380db6a9437 100755 --- a/apps/calendar/ajax/calendar/activation.php +++ b/apps/calendar/ajax/calendar/activation.php @@ -10,7 +10,11 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('calendar'); $calendarid = $_POST['calendarid']; -$calendar = OC_Calendar_App::getCalendar($calendarid);//access check +$calendar = OC_Calendar_App::getCalendar($calendarid, true); +if(!$calendar){ + OCP\JSON::error(array('message'=>'permission denied')); + exit; +} OC_Calendar_Calendar::setCalendarActive($calendarid, $_POST['active']); $calendar = OC_Calendar_App::getCalendar($calendarid); OCP\JSON::success(array( diff --git a/apps/calendar/ajax/calendar/delete.php b/apps/calendar/ajax/calendar/delete.php index a36a0534650..9e092f2df1d 100755 --- a/apps/calendar/ajax/calendar/delete.php +++ b/apps/calendar/ajax/calendar/delete.php @@ -11,7 +11,11 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('calendar'); $cal = $_POST["calendarid"]; -$calendar = OC_Calendar_App::getCalendar($cal); +$calendar = OC_Calendar_App::getCalendar($cal, true); +if(!$calendar){ + OCP\JSON::error(array('message'=>'permission denied')); + exit; +} $del = OC_Calendar_Calendar::deleteCalendar($cal); if($del == true){ OCP\JSON::success(); diff --git a/apps/calendar/ajax/calendar/edit.php b/apps/calendar/ajax/calendar/edit.php index 77366809311..516c9f6c765 100755 --- a/apps/calendar/ajax/calendar/edit.php +++ b/apps/calendar/ajax/calendar/edit.php @@ -11,7 +11,11 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('calendar'); $calendarcolor_options = OC_Calendar_Calendar::getCalendarColorOptions(); -$calendar = OC_Calendar_App::getCalendar($_GET['calendarid']); +$calendar = OC_Calendar_App::getCalendar($_GET['calendarid'], true); +if(!$calendar){ + OCP\JSON::error(array('message'=>'permission denied')); + exit; +} $tmpl = new OCP\Template("calendar", "part.editcalendar"); $tmpl->assign('new', false); $tmpl->assign('calendarcolor_options', $calendarcolor_options); diff --git a/apps/calendar/ajax/calendar/update.php b/apps/calendar/ajax/calendar/update.php index 3b1cc32b316..dce0027304a 100755 --- a/apps/calendar/ajax/calendar/update.php +++ b/apps/calendar/ajax/calendar/update.php @@ -25,7 +25,11 @@ foreach($calendars as $cal){ } $calendarid = $_POST['id']; -$calendar = OC_Calendar_App::getCalendar($calendarid);//access check +$calendar = OC_Calendar_App::getCalendar($calendarid, true); +if(!$calendar){ + OCP\JSON::error(array('message'=>'permission denied')); + exit; +} OC_Calendar_Calendar::editCalendar($calendarid, strip_tags($_POST['name']), null, null, null, $_POST['color']); OC_Calendar_Calendar::setCalendarActive($calendarid, $_POST['active']); |