diff options
author | zotlabs <mike@macgirvin.com> | 2016-11-14 13:55:31 -0800 |
---|---|---|
committer | zotlabs <mike@macgirvin.com> | 2016-11-14 13:55:31 -0800 |
commit | 544330345bf23b6b65e7592f1fcde75ce0bd72bb (patch) | |
tree | c5a069ba666bbe22404e073880d13c9d51df917d | |
parent | cf5c803fe0ebd976031584ee788eb5d762e8a798 (diff) | |
download | volse-hubzilla-544330345bf23b6b65e7592f1fcde75ce0bd72bb.tar.gz volse-hubzilla-544330345bf23b6b65e7592f1fcde75ce0bd72bb.tar.bz2 volse-hubzilla-544330345bf23b6b65e7592f1fcde75ce0bd72bb.zip |
SECURITY: public calendar leaks connection information (birthdays) when view_contacts is not allowed
-rw-r--r-- | Zotlabs/Module/Cal.php | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/Zotlabs/Module/Cal.php b/Zotlabs/Module/Cal.php index d03e2e951..1279a51b1 100644 --- a/Zotlabs/Module/Cal.php +++ b/Zotlabs/Module/Cal.php @@ -209,6 +209,10 @@ class Cal extends \Zotlabs\Web\Controller { $adjust_start = datetime_convert('UTC', date_default_timezone_get(), $start); $adjust_finish = datetime_convert('UTC', date_default_timezone_get(), $finish); + + if(! perm_is_allowed(\App::$profile['uid'],get_observer_hash(),'view_contacts')) + $sql_extra .= " and etype != 'birthday' "; + if (x($_GET,'id')){ $r = q("SELECT event.*, item.plink, item.item_flags, item.author_xchan, item.owner_xchan from event left join item on resource_id = event_hash where resource_type = 'event' and event.uid = %d and event.id = %d $sql_extra limit 1", |