amorfo77/sogo
1
0
Fork 0
mirror of https://github.com/inverse-inc/sogo.git synced 2026-05-27 06:15:26 +00:00
Code Issues Projects Releases Wiki Activity

* SoObjects/Appointments/SOGoAppointmentObject.m (_handleResourcesConflicts):

Browse Source 
Deny access to resources if the resource's ACL don't allow the organizer
  to read its freebusy info.
  Without this, sogo would always auto-accept invitations from 'unprivileged'
  users, potentially bypassing the multiplebooking parameter.

Monotone-Parent: 8ac367dca61f0a4a66df59c7c786dd0f5016050d
Monotone-Revision: 1f2bd4b4727f3158ab77ca76322cd555967d326a

Monotone-Author: jraby@inverse.ca
Monotone-Date: 2012-05-15T14:36:52
This commit is contained in:
Jean Raby
2012-05-15 14:36:52 +00:00
parent 5d149a53c7
commit 9b814bc58c
4 changed files with 25 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SoObjects/Appointments/SOGoAppointmentObject.m
+13 -1
View File
@@ -467,7 +467,19 @@
folder = [[SOGoUser userWithLogin: currentUID]
personalCalendarFolderInContext: context];
// Deny access to the resource if the ACLs don't allow the user
if (![folder aclSQLListingFilter])
{
NSDictionary *values;
NSString *reason;
values = [NSDictionary dictionaryWithObjectsAndKeys:
[user cn], @"Cn",
[user systemEmail], @"SystemEmail"];
reason = [values keysWithFormat: [self labelForKey: @"Cannot access resource: \"%{Cn} %{SystemEmail}\""]];
return [NSException exceptionWithHTTPStatus:403 reason: reason];
}
fbInfo = [NSMutableArray arrayWithArray: [folder fetchFreeBusyInfosFrom: start
to: end]];