From 18c8896b3c27ca1419ddf6e79cb296d51db3c201 Mon Sep 17 00:00:00 2001
From: Georg Ehrke <dev@georgswebsite.de>
Date: Mon, 14 May 2012 15:59:06 +0200
Subject: [PATCH] better user permission check for files in ajax/calendar/

---
 apps/calendar/ajax/calendar/activation.php | 6 +++++-
 apps/calendar/ajax/calendar/delete.php     | 6 +++++-
 apps/calendar/ajax/calendar/edit.php       | 6 +++++-
 apps/calendar/ajax/calendar/update.php     | 6 +++++-
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/apps/calendar/ajax/calendar/activation.php b/apps/calendar/ajax/calendar/activation.php
index 3523590aa27..380db6a9437 100755
--- a/apps/calendar/ajax/calendar/activation.php
+++ b/apps/calendar/ajax/calendar/activation.php
@@ -10,7 +10,11 @@
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
 $calendarid = $_POST['calendarid'];
-$calendar = OC_Calendar_App::getCalendar($calendarid);//access check
+$calendar = OC_Calendar_App::getCalendar($calendarid, true);
+if(!$calendar){
+	OCP\JSON::error(array('message'=>'permission denied'));
+	exit;
+}
 OC_Calendar_Calendar::setCalendarActive($calendarid, $_POST['active']);
 $calendar = OC_Calendar_App::getCalendar($calendarid);
 OCP\JSON::success(array(
diff --git a/apps/calendar/ajax/calendar/delete.php b/apps/calendar/ajax/calendar/delete.php
index a36a0534650..9e092f2df1d 100755
--- a/apps/calendar/ajax/calendar/delete.php
+++ b/apps/calendar/ajax/calendar/delete.php
@@ -11,7 +11,11 @@ OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
 
 $cal = $_POST["calendarid"];
-$calendar = OC_Calendar_App::getCalendar($cal);
+$calendar = OC_Calendar_App::getCalendar($cal, true);
+if(!$calendar){
+	OCP\JSON::error(array('message'=>'permission denied'));
+	exit;
+}
 $del = OC_Calendar_Calendar::deleteCalendar($cal);
 if($del == true){
 	OCP\JSON::success();
diff --git a/apps/calendar/ajax/calendar/edit.php b/apps/calendar/ajax/calendar/edit.php
index 77366809311..516c9f6c765 100755
--- a/apps/calendar/ajax/calendar/edit.php
+++ b/apps/calendar/ajax/calendar/edit.php
@@ -11,7 +11,11 @@ OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
 
 $calendarcolor_options = OC_Calendar_Calendar::getCalendarColorOptions();
-$calendar = OC_Calendar_App::getCalendar($_GET['calendarid']);
+$calendar = OC_Calendar_App::getCalendar($_GET['calendarid'], true);
+if(!$calendar){
+	OCP\JSON::error(array('message'=>'permission denied'));
+	exit;
+}
 $tmpl = new OCP\Template("calendar", "part.editcalendar");
 $tmpl->assign('new', false);
 $tmpl->assign('calendarcolor_options', $calendarcolor_options);
diff --git a/apps/calendar/ajax/calendar/update.php b/apps/calendar/ajax/calendar/update.php
index 3b1cc32b316..dce0027304a 100755
--- a/apps/calendar/ajax/calendar/update.php
+++ b/apps/calendar/ajax/calendar/update.php
@@ -25,7 +25,11 @@ foreach($calendars as $cal){
 }
 
 $calendarid = $_POST['id'];
-$calendar = OC_Calendar_App::getCalendar($calendarid);//access check
+$calendar = OC_Calendar_App::getCalendar($calendarid, true);
+if(!$calendar){
+	OCP\JSON::error(array('message'=>'permission denied'));
+	exit;
+}
 OC_Calendar_Calendar::editCalendar($calendarid, strip_tags($_POST['name']), null, null, null, $_POST['color']);
 OC_Calendar_Calendar::setCalendarActive($calendarid, $_POST['active']);
 
-- 
GitLab