From a54d8ecc375bbc1f79cd56e913f6e281d6b8b581 Mon Sep 17 00:00:00 2001 From: Evert Pot Date: Fri, 29 Apr 2016 17:23:19 +0700 Subject: [PATCH 1/2] Now checking schedule-query-freebusy instead of read-free-busy. As we should have. --- CHANGELOG.md | 4 ++++ lib/CalDAV/Schedule/Plugin.php | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac38b2feab..2db7586047 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,6 +53,10 @@ ChangeLog * #798: Added an index on `firstoccurence` field in MySQL CalDAV backend. This should speed up common calendar-query requests. * #759: DAV\Client is now able to actually correctly resolve relative urls. +* #671: We are no longer checking the `read-free-busy` privilege on individual + calendars during freebusy operations in the scheduling plugin. Instead, we + check the `schedule-query-freebusy` privilege on the target users' inbox, + which validates access for the entire account, per the spec. 3.1.3 (2016-04-06) diff --git a/lib/CalDAV/Schedule/Plugin.php b/lib/CalDAV/Schedule/Plugin.php index d2c88e712f..94d950ec3f 100644 --- a/lib/CalDAV/Schedule/Plugin.php +++ b/lib/CalDAV/Schedule/Plugin.php @@ -935,6 +935,9 @@ protected function getFreeBusyForEmail($email, \DateTimeInterface $start, \DateT $homeSet = $result[0][200][$caldavNS . 'calendar-home-set']->getHref(); $inboxUrl = $result[0][200][$caldavNS . 'schedule-inbox-URL']->getHref(); + // Do we have permission? + $aclPlugin->checkPrivileges($inboxUrl, $caldavNS . 'schedule-query-freebusy'); + // Grabbing the calendar list $objects = []; $calendarTimeZone = new DateTimeZone('UTC'); @@ -954,8 +957,6 @@ protected function getFreeBusyForEmail($email, \DateTimeInterface $start, \DateT continue; } - $aclPlugin->checkPrivileges($homeSet . $node->getName(), $caldavNS . 'read-free-busy'); - if (isset($props[$ctz])) { $vtimezoneObj = VObject\Reader::read($props[$ctz]); $calendarTimeZone = $vtimezoneObj->VTIMEZONE->getTimeZone(); From bd53dcf621fc55f59a8e5161ecd9c96f12cc37dd Mon Sep 17 00:00:00 2001 From: Evert Pot Date: Mon, 2 May 2016 17:18:03 +0800 Subject: [PATCH 2/2] Better error message. --- lib/CalDAV/Schedule/Plugin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/CalDAV/Schedule/Plugin.php b/lib/CalDAV/Schedule/Plugin.php index 94d950ec3f..47511140f0 100644 --- a/lib/CalDAV/Schedule/Plugin.php +++ b/lib/CalDAV/Schedule/Plugin.php @@ -505,7 +505,7 @@ function scheduleLocalDelivery(ITip\Message $iTipMessage) { } if (!$aclPlugin->checkPrivileges($inboxPath, $caldavNS . $privilege, DAVACL\Plugin::R_PARENT, false)) { - $iTipMessage->scheduleStatus = '3.8;organizer did not have the ' . $privilege . ' privilege on the attendees inbox'; + $iTipMessage->scheduleStatus = '3.8;insufficient privileges: ' . $privilege . ' is required on the recipient schedule inbox.'; return; }