amorfo77/sogo
1
0
Fork 0
mirror of https://github.com/inverse-inc/sogo.git synced 2026-03-06 15:46:23 +00:00
Code Issues Projects Releases Wiki Activity

oc: Check FolderOwner right to modify permissions

Browse Source 
As specified by [MS-OXCPERM] Section 3.2.5.2, the ModifyPermissions ROP
is only possible to users which have this right.

After this changeset, we check the active user can modify permission
list. This is a security fix.
This commit is contained in:
Enrique J. Hernández Blasco
2016-01-27 23:03:08 +01:00
parent 8c8ad301b4
commit bcf94c5b43
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
OpenChange/MAPIStoreFolder.m
View File

@@ -1641,6 +1641,21 @@ Class NSExceptionK, MAPIStoreFAIMessageK, MAPIStoreMessageTableK, MAPIStoreFAIMe
NSArray *permissionRoles;
BOOL reset, isAdd = NO, isDelete = NO, isModify = NO;
SOGoFolder *aclFolder;
SOGoUser *activeUser, *ownerUser;
/* Check if we have permissions to modify the permissions.
See [MS-OXCPERM] Section 3.2.5.2 for details */
ownerUser = [[self userContext] sogoUser];
activeUser = [context activeUser];
if (![activeUser isEqual: ownerUser])
{
/* Check if we have FolderOwner right */
NSArray *roles;
roles = [[self aclFolder] aclsForUser: [activeUser login]];
if (([self exchangeRightsForRoles: roles] & RightsFolderOwner) == 0)
return MAPISTORE_ERR_DENIED;
}
aclFolder = [self aclFolder];