Permission checking for shared addressbooks/contacts.

8 files changed, 165 insertions, 39 deletions

diff --git a/apps/contacts/ajax/contact/addproperty.php b/apps/contacts/ajax/contact/addproperty.php
index 89f7a2bd9a3..2b80ebd58bf 100644
--- a/apps/contacts/ajax/contact/addproperty.php
+++ b/apps/contacts/ajax/contact/addproperty.php
@@ -154,8 +154,10 @@ foreach ($parameters as $key=>$element) {
 }
 $checksum = md5($vcard->children[$line]->serialize());
 
-if(!OC_Contacts_VCard::edit($id, $vcard)) {
-	bailOut($l10n->t('Error adding contact property: '.$name));
+try {
+	OC_Contacts_VCard::edit($id, $vcard);
+} catch(Exception $e) {
+	bailOut($e->getMessage());
 }
 
 OCP\JSON::success(array(
diff --git a/apps/contacts/ajax/contact/delete.php b/apps/contacts/ajax/contact/delete.php
index def98b36705..e73f34f898d 100644
--- a/apps/contacts/ajax/contact/delete.php
+++ b/apps/contacts/ajax/contact/delete.php
@@ -4,6 +4,7 @@
  *
  * @author Jakob Sack
  * @copyright 2011 Jakob Sack mail@jakobsack.de
+ * @copyright 2012 Thomas Tanghus (thomas@tanghus.net)
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
@@ -30,7 +31,14 @@ $id = isset($_POST['id'])?$_POST['id']:null;
 if(!$id) {
 	bailOut(OC_Contacts_App::$l10n->t('id is not set.'));
 }
-$card = OC_Contacts_App::getContactObject( $id );
 
-OC_Contacts_VCard::delete($id);
+try {
+	OC_Contacts_VCard::delete($id);
+} catch(Exception $e) {
+	$msg = $e->getMessage();
+	OCP\Util::writeLog('contacts', __METHOD__.', exception: '.$msg,
+		OCP\Util::DEBUG);
+	OCP\Util::writeLog('contacts', __METHOD__.', id'.$id, OCP\Util::DEBUG);
+	bailOut($msg);
+}
 OCP\JSON::success(array('data' => array( 'id' => $id )));
diff --git a/apps/contacts/ajax/contact/deleteproperty.php b/apps/contacts/ajax/contact/deleteproperty.php
index b76eb19462c..b76b6e55ede 100644
--- a/apps/contacts/ajax/contact/deleteproperty.php
+++ b/apps/contacts/ajax/contact/deleteproperty.php
@@ -40,8 +40,10 @@ if(is_null($line)) {
 
 unset($vcard->children[$line]);
 
-if(!OC_Contacts_VCard::edit($id, $vcard)) {
-	bailOut($l10n->t('Error deleting contact property.'));
+try {
+	OC_Contacts_VCard::edit($id, $vcard);
+} catch(Exception $e) {
+	bailOut($e->getMessage());
 }
 
 OCP\JSON::success(array(
diff --git a/apps/contacts/ajax/contact/list.php b/apps/contacts/ajax/contact/list.php
index c5eca292f15..4e2509d8d5a 100644
--- a/apps/contacts/ajax/contact/list.php
+++ b/apps/contacts/ajax/contact/list.php
@@ -41,6 +41,10 @@ foreach($active_addressbooks as $addressbook) {
 				= array('contacts' => array('type' => 'book',));
 		$contacts_addressbook[$addressbook['id']]['displayname']
 				= $addressbook['displayname'];
+		$contacts_addressbook[$addressbook['id']]['permissions']
+				= isset($addressbook['permissions'])
+				? $addressbook['permissions']
+				: '0';
 	}
 }
 
@@ -75,10 +79,14 @@ if($contacts_alphabet) {
 			}
 		}
 		$contacts_addressbook[$contact['addressbookid']]['contacts'][] = array(
-					'type' => 'contact',
-					'id' => $contact['id'],
-					'addressbookid' => $contact['addressbookid'],
-					'displayname' => htmlspecialchars($display)
+			'type' => 'contact',
+			'id' => $contact['id'],
+			'addressbookid' => $contact['addressbookid'],
+			'displayname' => htmlspecialchars($display),
+			'permissions' =>
+				isset($contacts_addressbook[$contact['addressbookid']]['permissions'])
+					? $contacts_addressbook[$contact['addressbookid']]['permissions']
+					: '0',
 		);
 	}
 }
diff --git a/apps/contacts/ajax/contact/saveproperty.php b/apps/contacts/ajax/contact/saveproperty.php
index 296b9ad3b77..7ae183538b6 100644
--- a/apps/contacts/ajax/contact/saveproperty.php
+++ b/apps/contacts/ajax/contact/saveproperty.php
@@ -162,9 +162,10 @@ if(!$value) {
 }
 //debug('New checksum: '.$checksum);
 
-if(!OC_Contacts_VCard::edit($id, $vcard)) {
-	bailOut(OC_Contacts_App::$l10n->t('Error updating contact property.'));
-	exit();
+try {
+	OC_Contacts_VCard::edit($id, $vcard);
+} catch(Exception $e) {
+	bailOut($e->getMessage());
 }
 
 OCP\JSON::success(array('data' => array(
diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js
index a6262349df9..09cf26bf7fe 100644
--- a/apps/contacts/js/contacts.js
+++ b/apps/contacts/js/contacts.js
@@ -398,12 +398,32 @@ OC.Contacts={
 				localLoadContact(newid, bookid);
 			}
 		},
+		setEnabled:function(enabled) {
+			console.log('setEnabled', enabled);
+			$('.contacts_property,.action').each(function () {
+				$(this).prop('disabled', !enabled);
+				OC.Contacts.Card.enabled = enabled;
+			});
+		},
 		doExport:function() {
 			document.location.href = OC.linkTo('contacts', 'export.php') + '?contactid=' + this.id;
 		},
 		editNew:function(){ // add a new contact
-			this.id = ''; this.fn = ''; this.fullname = ''; this.givname = ''; this.famname = ''; this.addname = ''; this.honpre = ''; this.honsuf = '';
-			OC.Contacts.Card.add(';;;;;', '', '', true);
+			var book = $('#contacts h3.active');
+			var permissions = parseInt(book.data('permissions'));
+			if(permissions == 0
+					|| permissions & OC.Share.PERMISSION_UPDATE
+					|| permissions & OC.Share.PERMISSION_DELETE) {
+				with(this) {
+					delete id; delete fn; delete fullname; delete givname; delete famname;
+					delete addname; delete honpre; delete honsuf;
+				}
+				this.bookid = book.data('id');
+				OC.Contacts.Card.add(';;;;;', '', '', true);
+			} else {
+				OC.dialogs.alert(t('contacts', 'You do not have permission to add contacts to ')
+					+ book.text() + '. ' + t('contacts', 'Please select one of your own address books.'), t('contacts', 'Permission error'));
+			}
 			return false;
 		},
 		add:function(n, fn, aid, isnew){ // add a new contact
@@ -497,11 +517,16 @@ OC.Contacts={
 			OC.Contacts.notify({
 				data:curlistitem,
 				message:t('contacts','Click to undo deletion of "') + curlistitem.find('a').text() + '"',
-				timeout:5,
+				//timeout:5,
 				timeouthandler:function(contact) {
 					console.log('timeout');
-					OC.Contacts.Card.doDelete(contact.data('id'), true);
-					delete contact;
+					OC.Contacts.Card.doDelete(contact.data('id'), true, function(res) {
+						if(!res) {
+							OC.Contacts.Contacts.insertContact({contact:contact});
+						} else {
+							delete contact;
+						}
+					});
 				},
 				clickhandler:function(contact) {
 					OC.Contacts.Contacts.insertContact({contact:contact});
@@ -510,7 +535,7 @@ OC.Contacts={
 				}
 			});
 		},
-		doDelete:function(id, removeFromQueue) {
+		doDelete:function(id, removeFromQueue, cb) {
 			var updateQueue = function(id, remove) {
 				if(removeFromQueue) {
 					OC.Contacts.Contacts.deletionQueue.splice(OC.Contacts.Contacts.deletionQueue.indexOf(parseInt(id)), 1);
@@ -523,14 +548,23 @@ OC.Contacts={
 			if(OC.Contacts.Contacts.deletionQueue.indexOf(parseInt(id)) == -1 && removeFromQueue) {
 				console.log('returning');
 				updateQueue(id, removeFromQueue);
+				if(typeof cb == 'function') {
+					cb(true);
+				}
 				return;
 			}
-			$.post(OC.filePath('contacts', 'ajax', 'contact/delete.php'),{'id':id},function(jsondata) {
+			$.post(OC.filePath('contacts', 'ajax', 'contact/delete.php'), {'id':id},function(jsondata) {
 				if(jsondata.status == 'error'){
-					OC.dialogs.alert(jsondata.data.message, t('contacts', 'Error'));
+					OC.Contacts.notify({message:jsondata.data.message});
+					if(typeof cb == 'function') {
+						cb(false);
+					}
 				}
 				updateQueue(id, removeFromQueue);
 			});
+			if(typeof cb == 'function') {
+				cb(true);
+			}
 		},
 		loadContact:function(jsondata, bookid){
 			this.data = jsondata;
@@ -563,6 +597,11 @@ OC.Contacts={
 				$('#contact_note').hide();
 				$('#contacts_propertymenu_dropdown a[data-type="NOTE"]').parent().show();
 			}
+			var permissions = OC.Contacts.Card.permissions = parseInt($('#contacts ul[data-id="' + bookid + '"]').data('permissions'));
+			console.log('permissions', permissions);
+			this.setEnabled(permissions == 0
+				|| permissions & OC.Share.PERMISSION_UPDATE
+				|| permissions & OC.Share.PERMISSION_DELETE);
 		},
 		loadSingleProperties:function() {
 			var props = ['BDAY', 'NICKNAME', 'ORG', 'URL', 'CATEGORIES'];
@@ -757,6 +796,13 @@ OC.Contacts={
 					console.log('Saving: ' + q);
 					$(obj).attr('disabled', 'disabled');
 					$.post(OC.filePath('contacts', 'ajax', 'contact/saveproperty.php'),q,function(jsondata){
+						if(!jsondata) {
+							OC.dialogs.alert(t('contacts', 'Unknown error. Please check logs.'), t('contacts', 'Error'));
+							OC.Contacts.loading(obj, false);
+							$(obj).removeAttr('disabled');
+							OC.Contacts.Card.update({cid:OC.Contacts.Card.id});
+							return false;
+						}
 						if(jsondata.status == 'success'){
 							container.data('checksum', jsondata.data.checksum);
 							OC.Contacts.Card.savePropertyInternal(name, fields, checksum, jsondata.data.checksum);
@@ -768,6 +814,7 @@ OC.Contacts={
 							OC.dialogs.alert(jsondata.data.message, t('contacts', 'Error'));
 							OC.Contacts.loading(obj, false);
 							$(obj).removeAttr('disabled');
+							OC.Contacts.Card.update({cid:OC.Contacts.Card.id});
 							return false;
 						}
 					},'json');
@@ -787,12 +834,16 @@ OC.Contacts={
 							OC.dialogs.alert(jsondata.data.message, t('contacts', 'Error'));
 							OC.Contacts.loading(obj, false);
 							$(obj).removeAttr('disabled');
+							OC.Contacts.Card.update({cid:OC.Contacts.Card.id});
 							return false;
 						}
 					},'json');
 			}
 		},
 		addProperty:function(type) {
+			if(!this.enabled) {
+				return;
+			}
 			switch (type) {
 				case 'NOTE':
 					$('#contacts_propertymenu_dropdown a[data-type="'+type+'"]').parent().hide();
@@ -836,6 +887,9 @@ OC.Contacts={
 		},
 		deleteProperty:function(obj, type) {
 			console.log('deleteProperty');
+			if(!this.enabled) {
+				return;
+			}
 			OC.Contacts.loading(obj, true);
 			var checksum = OC.Contacts.checksumFor(obj);
 			if(checksum) {
@@ -887,6 +941,9 @@ OC.Contacts={
 			}
 		},
 		editName:function() {
+			if(!this.enabled) {
+				return;
+			}
 			var params = {id: this.id};
 			/* Initialize the name edit dialog */
 			if($('#edit_name_dialog').dialog('isOpen') == true) {
@@ -922,6 +979,9 @@ OC.Contacts={
 			}
 		},
 		saveName:function(dlg) {
+			if(!this.enabled) {
+				return;
+			}
 			//console.log('saveName, id: ' + this.id);
 			var n = new Array($(dlg).find('#fam').val().strip_tags(),$(dlg).find('#giv').val().strip_tags(),$(dlg).find('#add').val().strip_tags(),$(dlg).find('#pre').val().strip_tags(),$(dlg).find('#suf').val().strip_tags());
 			this.famname = n[0];
@@ -1010,6 +1070,9 @@ OC.Contacts={
 			return false;
 		},
 		editAddress:function(obj, isnew){
+			if(!this.enabled) {
+				return;
+			}
 			var container = undefined;
 			var params = {id: this.id};
 			if(obj === 'new') {
@@ -1135,6 +1198,9 @@ OC.Contacts={
 			}
 		},
 		saveAddress:function(dlg, obj, isnew){
+			if(!this.enabled) {
+				return;
+			}
 			if(isnew) {
 				container = $('#addresses dl').last();
 				obj = container.find('input').first();
@@ -1177,6 +1243,9 @@ OC.Contacts={
 			container.find('.addresslist').html(adrtxt);
 		},
 		uploadPhoto:function(filelist) {
+			if(!this.enabled) {
+				return;
+			}
 			if(!filelist) {
 				OC.dialogs.alert(t('contacts','No files selected for upload.'), t('contacts', 'Error'));
 				return;
@@ -1255,6 +1324,9 @@ OC.Contacts={
 			this.loadPhotoHandlers()
 		},
 		editCurrentPhoto:function(){
+			if(!this.enabled) {
+				return;
+			}
 			$.getJSON(OC.filePath('contacts', 'ajax', 'currentphoto.php'),{'id':this.id},function(jsondata){
 				if(jsondata.status == 'success'){
 					//alert(jsondata.data.page);
@@ -1268,6 +1340,9 @@ OC.Contacts={
 			});
 		},
 		editPhoto:function(id, tmpkey){
+			if(!this.enabled) {
+				return;
+			}
 			//alert('editPhoto: ' + tmpkey);
 			$.getJSON(OC.filePath('contacts', 'ajax', 'cropphoto.php'),{'tmpkey':tmpkey,'id':this.id, 'requesttoken':requesttoken},function(jsondata){
 				if(jsondata.status == 'success'){
@@ -1284,7 +1359,10 @@ OC.Contacts={
 				$('#edit_photo_dialog').dialog('open');
 			}
 		},
-		savePhoto:function(){
+		savePhoto:function() {
+			if(!this.enabled) {
+				return;
+			}
 			var target = $('#crop_target');
 			var form = $('#cropform');
 			var wrapper = $('#contacts_details_photo_wrapper');
@@ -1719,11 +1797,15 @@ OC.Contacts={
 							firstrun = true;
 							if($('#contacts h3').length == 0) {
 								$('#contacts').html('<h3 class="addressbook" contextmenu="addressbookmenu" data-id="'
-									+ b+'">'+book.displayname+'</h3><ul class="contacts hidden" data-id="'+b+'"></ul>');
+									+ b + '" data-permissions="' + book.permissions + '">' + book.displayname
+									+ '</h3><ul class="contacts hidden" data-id="'+b+'" data-permissions="'
+									+ book.permissions + '"></ul>');
 							} else {
-								if(!$('#contacts h3[data-id="'+b+'"]').length) {
-									var item = $('<h3 class="addressbook" contextmenu="addressbookmenu" data-id="'+b+'">'
-										+ book.displayname+'</h3><ul class="contacts hidden" data-id="'+b+'"></ul>')
+								if(!$('#contacts h3[data-id="' + b + '"]').length) {
+									var item = $('<h3 class="addressbook" contextmenu="addressbookmenu" data-id="'
+										+ b + '" data-permissions="' + book.permissions + '">'
+										+ book.displayname+'</h3><ul class="contacts hidden" data-id="' + b
+										+ '" data-permissions="' + book.permissions + '"></ul>');
 									var added = false;
 									$('#contacts h3').each(function(){
 										if ($(this).text().toLowerCase() > book.displayname.toLowerCase()) {
diff --git a/apps/contacts/lib/share/addressbook.php b/apps/contacts/lib/share/addressbook.php
index 0c90470d377..d35f0ce9aea 100644
--- a/apps/contacts/lib/share/addressbook.php
+++ b/apps/contacts/lib/share/addressbook.php
@@ -73,6 +73,7 @@ class OC_Share_Backend_Addressbook implements OCP\Share_Backend_Collection {
 				$addressbook = OC_Contacts_Addressbook::find($item['item_source']);
 				if ($addressbook) {
 					$addressbook['displayname'] = $item['item_target'];
+					$addressbook['permissions'] = $item['permissions'];
 					$addressbooks[] = $addressbook;
 				}
 			}
diff --git a/apps/contacts/lib/vcard.php b/apps/contacts/lib/vcard.php
index 58d78875af2..cee9c640cf6 100644
--- a/apps/contacts/lib/vcard.php
+++ b/apps/contacts/lib/vcard.php
@@ -405,7 +405,7 @@ class OC_Contacts_VCard{
 		if ($addressbook['userid'] != OCP\User::getUser()) {
 			$sharedContact = OCP\Share::getItemSharedWithBySource('contact', $id, OCP\Share::FORMAT_NONE, null, true);
 			if (!$sharedContact || !($sharedContact['permissions'] & OCP\Share::PERMISSION_UPDATE)) {
-				return false;
+				throw new Exception(OC_Contacts_App::$l10n->t('You do not have the permissions to edit this contact.'));
 			}
 		}
 		OC_Contacts_App::loadCategoriesFromVCard($card);
@@ -423,7 +423,8 @@ class OC_Contacts_VCard{
 		try {
 			$result = $stmt->execute(array($fn,$data,time(),$id));
 		} catch(Exception $e) {
-			OCP\Util::writeLog('contacts', __METHOD__.', exception: '.$e->getMessage(), OCP\Util::ERROR);
+			OCP\Util::writeLog('contacts', __METHOD__.', exception: '
+				. $e->getMessage(), OCP\Util::ERROR);
 			OCP\Util::writeLog('contacts', __METHOD__.', id'.$id, OCP\Util::DEBUG);
 			return false;
 		}
@@ -444,10 +445,21 @@ class OC_Contacts_VCard{
 		$oldcard = self::findWhereDAVDataIs($aid, $uri);
 		$card = OC_VObject::parse($data);
 		if(!$card) {
-			OCP\Util::writeLog('contacts', __METHOD__.', Unable to parse VCARD, uri: '.$uri, OCP\Util::ERROR);
+			OCP\Util::writeLog('contacts', __METHOD__.
+				', Unable to parse VCARD, uri: '.$uri, OCP\Util::ERROR);
+			return false;
+		}
+		try {
+			self::edit($oldcard['id'], $card);
+			return true;
+		} catch(Exception $e) {
+			OCP\Util::writeLog('contacts', __METHOD__.', exception: '
+				. $e->getMessage() . ', '
+				. OCP\USER::getUser(), OCP\Util::ERROR);
+			OCP\Util::writeLog('contacts', __METHOD__.', uri'
+				. $uri, OCP\Util::DEBUG);
 			return false;
 		}
-		return self::edit($oldcard['id'], $card);
 	}
 
 	/**
@@ -462,18 +474,28 @@ class OC_Contacts_VCard{
 		}
 		$addressbook = OC_Contacts_Addressbook::find($card['addressbookid']);
 		if ($addressbook['userid'] != OCP\User::getUser()) {
-			$sharedContact = OCP\Share::getItemSharedWithBySource('contact', $id, OCP\Share::FORMAT_NONE, null, true);
-			if (!$sharedContact || !($sharedContact['permissions'] & OCP\Share::PERMISSION_DELETE)) {
-				return false;
-			}
-		}
-		OC_Hook::emit('OC_Contacts_VCard', 'pre_deleteVCard', array('aid' => null, 'id' => $id, 'uri' => null));
-		$stmt = OCP\DB::prepare( 'DELETE FROM *PREFIX*contacts_cards WHERE id = ?' );
+			$sharedContact = OCP\Share::getItemSharedWithBySource('contact',
+				$id, OCP\Share::FORMAT_NONE, null, true);
+			if (!$sharedContact
+				|| !($sharedContact['permissions'] & OCP\Share::PERMISSION_DELETE)) {
+				throw new Exception(
+					OC_Contacts_App::$l10n->t(
+						'You do not have the permissions to delete this contact.'
+					)
+				);
+			}
+		}
+		OC_Hook::emit('OC_Contacts_VCard', 'pre_deleteVCard',
+			array('aid' => null, 'id' => $id, 'uri' => null)
+		);
+		$stmt = OCP\DB::prepare('DELETE FROM *PREFIX*contacts_cards WHERE id = ?');
 		try {
 			$stmt->execute(array($id));
 		} catch(Exception $e) {
-			OCP\Util::writeLog('contacts', __METHOD__.', exception: '.$e->getMessage(), OCP\Util::ERROR);
-			OCP\Util::writeLog('contacts', __METHOD__.', id: '.$id, OCP\Util::DEBUG);
+			OCP\Util::writeLog('contacts', __METHOD__.
+				', exception: ' . $e->getMessage(), OCP\Util::ERROR);
+			OCP\Util::writeLog('contacts', __METHOD__.', id: '
+				. $id, OCP\Util::DEBUG);
 			return false;
 		}