From 9b814bc58c2d39162ed8317c3cd5f246b0b0b9e7 Mon Sep 17 00:00:00 2001
From: Jean Raby <jraby@inverse.ca>
Date: Tue, 15 May 2012 14:36:52 +0000
Subject: [PATCH] * SoObjects/Appointments/SOGoAppointmentObject.m
 (_handleResourcesConflicts):   Deny access to resources if the resource's ACL
 don't allow the organizer   to read its freebusy info.   Without this, sogo
 would always auto-accept invitations from 'unprivileged'   users, potentially
 bypassing the multiplebooking parameter.

Monotone-Parent: 8ac367dca61f0a4a66df59c7c786dd0f5016050d
Monotone-Revision: 1f2bd4b4727f3158ab77ca76322cd555967d326a

Monotone-Author: jraby@inverse.ca
Monotone-Date: 2012-05-15T14:36:52
---
 ChangeLog                                          |  8 ++++++++
 .../Appointments/English.lproj/Localizable.strings |  3 ++-
 .../Appointments/French.lproj/Localizable.strings  |  3 ++-
 SoObjects/Appointments/SOGoAppointmentObject.m     | 14 +++++++++++++-
 4 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 9d3b3b8af..bdb78f619 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2012-05-15  Jean Raby  <jraby@inverse.ca>
+
+	* SoObjects/Appointments/SOGoAppointmentObject.m (_handleResourcesConflicts):
+	Deny access to resources if the resource's ACL don't allow the organizer
+	to read its freebusy info.
+	Without this, sogo would always auto-accept invitations from 'unprivileged'
+	users, potentially bypassing the multiplebooking parameter.
+	
 2012-05-14  Wolfgang Sourdeau  <wsourdeau@inverse.ca>
 
 	* UI/WebServerResources/UIxContactsUserFolders.js: folder ids are
diff --git a/SoObjects/Appointments/English.lproj/Localizable.strings b/SoObjects/Appointments/English.lproj/Localizable.strings
index a963ca29a..6de15e75b 100644
--- a/SoObjects/Appointments/English.lproj/Localizable.strings
+++ b/SoObjects/Appointments/English.lproj/Localizable.strings
@@ -67,4 +67,5 @@ vtodo_class2 = "(Confidential task)";
 = "%{Attendee} %{SentByText}has not yet decided upon your event invitation.";
 
 /* Resources */
-"Maximum number of simultaneous bookings (%{NumberOfSimultaneousBookings}) reached for resource \"%{Cn} %{SystemEmail}\". The conflicting event is \"%{EventTitle}\", and starts on %{StartDate}." = "Maximum number of simultaneous bookings (%{NumberOfSimultaneousBookings}) reached for resource \"%{Cn} %{SystemEmail}\". The conflicting event is \"%{EventTitle}\", and starts on %{StartDate}.";
\ No newline at end of file
+"Cannot access resource: \"%{Cn} %{SystemEmail}\"" = "Cannot access resource: \"%{Cn} %{SystemEmail}\"";
+"Maximum number of simultaneous bookings (%{NumberOfSimultaneousBookings}) reached for resource \"%{Cn} %{SystemEmail}\". The conflicting event is \"%{EventTitle}\", and starts on %{StartDate}." = "Maximum number of simultaneous bookings (%{NumberOfSimultaneousBookings}) reached for resource \"%{Cn} %{SystemEmail}\". The conflicting event is \"%{EventTitle}\", and starts on %{StartDate}.";
diff --git a/SoObjects/Appointments/French.lproj/Localizable.strings b/SoObjects/Appointments/French.lproj/Localizable.strings
index 49baa8aa8..5171403ee 100644
--- a/SoObjects/Appointments/French.lproj/Localizable.strings
+++ b/SoObjects/Appointments/French.lproj/Localizable.strings
@@ -67,4 +67,5 @@ vtodo_class2 = "(Tâche confidentielle)";
 = "%{Attendee} %{SentByText}choisit de reporter sa décision par rapport à votre invitation.";
 
 /* Resources */
-"Maximum number of simultaneous bookings (%{NumberOfSimultaneousBookings}) reached for resource \"%{Cn} %{SystemEmail}\"." = "Le nombre maximum (%{NumberOfSimultaneousBookings}) de réservation(s) simultanée(s) a été atteint pour la ressource \"%{Cn} %{SystemEmail}\".";
\ No newline at end of file
+"Cannot access resource: \"%{Cn} %{SystemEmail}\"" = "Impossible d'accéder à la resource: \"%{Cn} %{SystemEmail}\"";
+"Maximum number of simultaneous bookings (%{NumberOfSimultaneousBookings}) reached for resource \"%{Cn} %{SystemEmail}\"." = "Le nombre maximum (%{NumberOfSimultaneousBookings}) de réservation(s) simultanée(s) a été atteint pour la ressource \"%{Cn} %{SystemEmail}\".";
diff --git a/SoObjects/Appointments/SOGoAppointmentObject.m b/SoObjects/Appointments/SOGoAppointmentObject.m
index 37924103b..596e2d2ba 100644
--- a/SoObjects/Appointments/SOGoAppointmentObject.m
+++ b/SoObjects/Appointments/SOGoAppointmentObject.m
@@ -467,7 +467,19 @@
 	      folder = [[SOGoUser userWithLogin: currentUID]
 			 personalCalendarFolderInContext: context];
 
-	      
+	      // Deny access to the resource if the ACLs don't allow the user
+	      if (![folder aclSQLListingFilter])
+	        {
+		  NSDictionary *values;
+		  NSString *reason;
+
+		  values = [NSDictionary dictionaryWithObjectsAndKeys:
+		  		[user cn], @"Cn",
+				[user systemEmail], @"SystemEmail"];
+		  reason = [values keysWithFormat: [self labelForKey: @"Cannot access resource: \"%{Cn} %{SystemEmail}\""]];
+	      	  return [NSException exceptionWithHTTPStatus:403 reason: reason];
+	      	}
+
 	      fbInfo = [NSMutableArray arrayWithArray: [folder fetchFreeBusyInfosFrom: start
 							       to: end]];