* SoObjects/Appointments/SOGoAppointmentObject.m (_handleResourcesConflicts):

Deny access to resources if the resource's ACL don't allow the organizer
  to read its freebusy info.
  Without this, sogo would always auto-accept invitations from 'unprivileged'
  users, potentially bypassing the multiplebooking parameter.

Monotone-Parent: 8ac367dca61f0a4a66df59c7c786dd0f5016050d
Monotone-Revision: 1f2bd4b4727f3158ab77ca76322cd555967d326a

Monotone-Author: jraby@inverse.ca
Monotone-Date: 2012-05-15T14:36:52

ChangeLog

@@ -1,3 +1,11 @@
+2012-05-15  Jean Raby  <jraby@inverse.ca>
+
+	* SoObjects/Appointments/SOGoAppointmentObject.m (_handleResourcesConflicts):
+	Deny access to resources if the resource's ACL don't allow the organizer
+	to read its freebusy info.
+	Without this, sogo would always auto-accept invitations from 'unprivileged'
+	users, potentially bypassing the multiplebooking parameter.
+	
 2012-05-14  Wolfgang Sourdeau  <wsourdeau@inverse.ca>
 
 	* UI/WebServerResources/UIxContactsUserFolders.js: folder ids are

SoObjects/Appointments/English.lproj/Localizable.strings

@@ -67,4 +67,5 @@ vtodo_class2 = "(Confidential task)";
 = "%{Attendee} %{SentByText}has not yet decided upon your event invitation.";
 
 /* Resources */
-"Maximum number of simultaneous bookings (%{NumberOfSimultaneousBookings}) reached for resource \"%{Cn} %{SystemEmail}\". The conflicting event is \"%{EventTitle}\", and starts on %{StartDate}." = "Maximum number of simultaneous bookings (%{NumberOfSimultaneousBookings}) reached for resource \"%{Cn} %{SystemEmail}\". The conflicting event is \"%{EventTitle}\", and starts on %{StartDate}.";
+"Cannot access resource: \"%{Cn} %{SystemEmail}\"" = "Cannot access resource: \"%{Cn} %{SystemEmail}\"";
+"Maximum number of simultaneous bookings (%{NumberOfSimultaneousBookings}) reached for resource \"%{Cn} %{SystemEmail}\". The conflicting event is \"%{EventTitle}\", and starts on %{StartDate}." = "Maximum number of simultaneous bookings (%{NumberOfSimultaneousBookings}) reached for resource \"%{Cn} %{SystemEmail}\". The conflicting event is \"%{EventTitle}\", and starts on %{StartDate}.";

SoObjects/Appointments/French.lproj/Localizable.strings

@@ -67,4 +67,5 @@ vtodo_class2 = "(Tâche confidentielle)";
 = "%{Attendee} %{SentByText}choisit de reporter sa décision par rapport à votre invitation.";
 
 /* Resources */
-"Maximum number of simultaneous bookings (%{NumberOfSimultaneousBookings}) reached for resource \"%{Cn} %{SystemEmail}\"." = "Le nombre maximum (%{NumberOfSimultaneousBookings}) de réservation(s) simultanée(s) a été atteint pour la ressource \"%{Cn} %{SystemEmail}\".";
+"Cannot access resource: \"%{Cn} %{SystemEmail}\"" = "Impossible d'accéder à la resource: \"%{Cn} %{SystemEmail}\"";
+"Maximum number of simultaneous bookings (%{NumberOfSimultaneousBookings}) reached for resource \"%{Cn} %{SystemEmail}\"." = "Le nombre maximum (%{NumberOfSimultaneousBookings}) de réservation(s) simultanée(s) a été atteint pour la ressource \"%{Cn} %{SystemEmail}\".";

SoObjects/Appointments/SOGoAppointmentObject.m

@@ -467,7 +467,19 @@
 	      folder = [[SOGoUser userWithLogin: currentUID]
 			 personalCalendarFolderInContext: context];
 
-	      
+	      // Deny access to the resource if the ACLs don't allow the user
+	      if (![folder aclSQLListingFilter])
+	        {
+		  NSDictionary *values;
+		  NSString *reason;
+
+		  values = [NSDictionary dictionaryWithObjectsAndKeys:
+		  		[user cn], @"Cn",
+				[user systemEmail], @"SystemEmail"];
+		  reason = [values keysWithFormat: [self labelForKey: @"Cannot access resource: \"%{Cn} %{SystemEmail}\""]];
+	      	  return [NSException exceptionWithHTTPStatus:403 reason: reason];
+	      	}
+
 	      fbInfo = [NSMutableArray arrayWithArray: [folder fetchFreeBusyInfosFrom: start
 							       to: end]];