From bcf94c5b4322ad50e7c48bce0937527aa04fdfd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Enrique=20J=2E=20Hern=C3=A1ndez=20Blasco?=
 <ejhernandez@zentyal.com>
Date: Wed, 27 Jan 2016 23:03:08 +0100
Subject: [PATCH] oc: Check FolderOwner right to modify permissions

As specified by [MS-OXCPERM] Section 3.2.5.2, the ModifyPermissions ROP
is only possible to users which have this right.

After this changeset, we check the active user can modify permission
list. This is a security fix.
---
 OpenChange/MAPIStoreFolder.m | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/OpenChange/MAPIStoreFolder.m b/OpenChange/MAPIStoreFolder.m
index d94166e38..48c762499 100644
--- a/OpenChange/MAPIStoreFolder.m
+++ b/OpenChange/MAPIStoreFolder.m
@@ -1641,6 +1641,21 @@ Class NSExceptionK, MAPIStoreFAIMessageK, MAPIStoreMessageTableK, MAPIStoreFAIMe
   NSArray *permissionRoles;
   BOOL reset, isAdd = NO, isDelete = NO, isModify = NO;
   SOGoFolder *aclFolder;
+  SOGoUser *activeUser, *ownerUser;
+
+  /* Check if we have permissions to modify the permissions.
+   See [MS-OXCPERM] Section 3.2.5.2 for details */
+  ownerUser = [[self userContext] sogoUser];
+  activeUser = [context activeUser];
+  if (![activeUser isEqual: ownerUser])
+    {
+      /* Check if we have FolderOwner right */
+      NSArray *roles;
+
+      roles = [[self aclFolder] aclsForUser: [activeUser login]];
+      if (([self exchangeRightsForRoles: roles] & RightsFolderOwner) == 0)
+        return MAPISTORE_ERR_DENIED;
+    }
 
   aclFolder = [self aclFolder];