aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2016-11-14 13:55:31 -0800
committerzotlabs <mike@macgirvin.com>2016-11-14 13:55:31 -0800
commit544330345bf23b6b65e7592f1fcde75ce0bd72bb (patch)
treec5a069ba666bbe22404e073880d13c9d51df917d
parentcf5c803fe0ebd976031584ee788eb5d762e8a798 (diff)
downloadvolse-hubzilla-544330345bf23b6b65e7592f1fcde75ce0bd72bb.tar.gz
volse-hubzilla-544330345bf23b6b65e7592f1fcde75ce0bd72bb.tar.bz2
volse-hubzilla-544330345bf23b6b65e7592f1fcde75ce0bd72bb.zip
SECURITY: public calendar leaks connection information (birthdays) when view_contacts is not allowed
-rw-r--r--Zotlabs/Module/Cal.php4
1 files changed, 4 insertions, 0 deletions
diff --git a/Zotlabs/Module/Cal.php b/Zotlabs/Module/Cal.php
index d03e2e951..1279a51b1 100644
--- a/Zotlabs/Module/Cal.php
+++ b/Zotlabs/Module/Cal.php
@@ -209,6 +209,10 @@ class Cal extends \Zotlabs\Web\Controller {
$adjust_start = datetime_convert('UTC', date_default_timezone_get(), $start);
$adjust_finish = datetime_convert('UTC', date_default_timezone_get(), $finish);
+
+ if(! perm_is_allowed(\App::$profile['uid'],get_observer_hash(),'view_contacts'))
+ $sql_extra .= " and etype != 'birthday' ";
+
if (x($_GET,'id')){
$r = q("SELECT event.*, item.plink, item.item_flags, item.author_xchan, item.owner_xchan
from event left join item on resource_id = event_hash where resource_type = 'event' and event.uid = %d and event.id = %d $sql_extra limit 1",