From cb55413e91ac0f10b649abaaeaa5fdab141f0958 Mon Sep 17 00:00:00 2001 From: smizrahi Date: Wed, 3 Apr 2024 09:18:53 +0200 Subject: [PATCH] fix(calendar): Fix issue where a calendar's subscribed user can give acl to another user --- SoObjects/SOGo/SOGoObject.m | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/SoObjects/SOGo/SOGoObject.m b/SoObjects/SOGo/SOGoObject.m index a9baf5185..020d8e850 100644 --- a/SoObjects/SOGo/SOGoObject.m +++ b/SoObjects/SOGo/SOGoObject.m @@ -1399,6 +1399,10 @@ } else if ([nodeName isEqualToString: @"set-roles"]) { + // Disable Acl modifications if this is not the owner + if (![[[context activeUser] login] isEqualToString: owner]) + return nil; + // We support two ways of setting roles. The first one is, for example: // // @@ -1426,8 +1430,7 @@ allRoles = [self _davGetRolesFromRequest: node]; for (i = 0; i < [allUsers count]; i++) { - if ([[[context activeUser] login] isEqualToString: owner]) - [self setRoles: allRoles + [self setRoles: allRoles forUser: [allUsers objectAtIndex: i]]; } result = @""; @@ -1447,6 +1450,9 @@ // else if ([nodeName isEqualToString: @"add-user"]) { + // Disable Acl modifications if this is not the owner + if (![[[context activeUser] login] isEqualToString: owner]) + return nil; attrs = [node attributes]; userAttr = [attrs namedItem: @"user"]; user = [userAttr nodeValue]; @@ -1455,6 +1461,9 @@ } else if ([nodeName isEqualToString: @"add-users"]) { + // Disable Acl modifications if this is not the owner + if (![[[context activeUser] login] isEqualToString: owner]) + return nil; attrs = [node attributes]; userAttr = [attrs namedItem: @"users"]; allUsers = [[userAttr nodeValue] componentsSeparatedByString: @","]; @@ -1475,6 +1484,9 @@ // else if ([nodeName isEqualToString: @"remove-user"]) { + // Disable Acl modifications if this is not the owner + if (![[[context activeUser] login] isEqualToString: owner]) + return nil; attrs = [node attributes]; userAttr = [attrs namedItem: @"user"]; user = [userAttr nodeValue];