(fix) check if the SENT-BY has access to organizer's calendar before modifying attendees' calendar (fixes #3759)

2016-08-09 16:17:17 -04:00 · 2016-08-09 16:17:17 -04:00 · 0e2336cc4e
parent e876c9d68e
commit 0e2336cc4e
1 changed files with 21 additions and 1 deletions
--- a/SoObjects/Appointments/SOGoAppointmentObject.m
+++ b/SoObjects/Appointments/SOGoAppointmentObject.m
@ -126,7 +126,7 @@
 }

 - (SOGoAppointmentObject *) _lookupEvent: (NSString *) eventUID
-				                          forUID: (NSString *) uid
+				  forUID: (NSString *) uid
 {
  SOGoAppointmentFolder *folder;
  SOGoAppointmentObject *object;
@ -2155,6 +2155,26 @@ inRecurrenceExceptionsForEvent: (iCalEvent *) theEvent

          if (userIsOrganizer)
            {
+	      // We check ACLs of the 'organizer' - in case someone forges the SENT-BY
+	      NSString *uid;
+
+	      uid = [[oldEvent organizer] uidInContext: context];
+
+	      if ([[[context activeUser] login] caseInsensitiveCompare: uid] != NSOrderedSame)
+		{
+		  SOGoAppointmentObject *organizerObject;
+
+		  organizerObject = [self _lookupEvent: [oldEvent uid] forUID: uid];
+		  roles = [[context activeUser] rolesForObject: organizerObject
+						     inContext: context];
+
+		  if (![roles containsObject: @"ComponentModifier"])
+		    {
+		      return [NSException exceptionWithHTTPStatus: 409
+							   reason: @"Not allowed to perform this action. Wrong SENT-BY being used regarding access rights on organizer's calendar."];
+		    }
+		}
+
              // A RECCURENCE-ID was removed
              if (!newEvent && oldEvent)
                [self prepareDeleteOccurence: oldEvent];