[kronolith] Patches for kronolith

Jason Rust jrust at rustyparts.com
Tue May 6 16:38:01 PDT 2003


Below are two patches for kronolith.  This first one fixes a bug whereby
if the default_share is set to something other than the personal
calendar (i.e. group calendar) and is locked the hidden input for the
calendar was still the user's calendar instead of the default_share:

Index: templates/edit/edit.inc
===================================================================
RCS file: /repository/kronolith/templates/edit/edit.inc,v
retrieving revision 1.82
diff -r1.82 edit.inc
66c66
< <input type="hidden" name="targetcalendar" value="<?php echo htmlspecialchars(Auth::getAuth()) ?>" />
---
> <input type="hidden" name="targetcalendar" value="<?php echo > htmlspecialchars($calendar_id) ?>" />

The below patch tightens up security on adding and editing events so
that those without permissions cannot add or edit events by manually
typing in addevent/editevent.php into the url:

Index: addeventaction.php
===================================================================
RCS file: /repository/kronolith/addeventaction.php,v
retrieving revision 1.35
diff -r1.35 addeventaction.php
15,18c15,24
<     $calendar->open(Horde::getFormData('targetcalendar', Auth::getAuth()));
<     $event = $calendar->getEventObject();
<     $event->readForm();
<     $event->save();
---
>     $calendar_id = Horde::getFormData('targetcalendar', Auth::getAuth());
>     $share =& $shares->getShare($calendar_id);
>     if (!$share->hasPermission(Auth::getAuth(), _PERMS_EDIT)) {
>         $notification->push(_("You do not have permission to add this event."), 'horde.warning');
>     } else {
>         $calendar->open($calendar_id);
>         $event = $calendar->getEventObject();
>         $event->readForm();
>         $event->save();
>     }
Index: editeventaction.php
===================================================================
RCS file: /repository/kronolith/editeventaction.php,v
retrieving revision 1.41
diff -r1.41 editeventaction.php
32,35c32,35
<
<         if (Horde::getFormData('saveAsNew')) {
<             $calendar->open($target);
<             $event = $calendar->getEventObject();
---
>         $share =& $shares->getShare($target);
>
>         if (!$share->hasPermission(Auth::getAuth(), _PERMS_EDIT)) {
>             $notification->push(_("You do not have permission to edit this event."), 'horde.warning');
37,41c37
<             if ($target != $source) {
<                 $calendar->open($source);
<                 $calendar->deleteEvent(Horde::getFormData('eventID'));
<                 $calendar->close();
<
---
>             if (Horde::getFormData('saveAsNew')) {
44,46c40,51
<             } else {
<                 $calendar->open($source);
<                 $event = $calendar->getEventObject(Horde::getFormData('eventID'));
---
>             } else {
>                 if ($target != $source) {
>                     $calendar->open($source);
>                     $calendar->deleteEvent(Horde::getFormData('eventID'));
>                     $calendar->close();
>
>                     $calendar->open($target);
>                     $event = $calendar->getEventObject();
>                 } else {
>                     $calendar->open($source);
>                     $event = $calendar->getEventObject(Horde::getFormData('eventID'));
>                 }

-Jason

-- 
http://www.rustyparts.com/
puttin' some rust into it!


More information about the kronolith mailing list