diff options
| author | zotlabs <mike@macgirvin.com> | 2016-11-14 13:55:31 -0800 |
|---|---|---|
| committer | zotlabs <mike@macgirvin.com> | 2016-11-14 14:01:53 -0800 |
| commit | a3796f9baaf9e97c4ca20147823f6182b003d02f (patch) | |
| tree | 0c14b931dd305ec10d85f0b1c00e1dd2fe2fe754 /Zotlabs | |
| parent | bdc279a49b68a7de394811ad2810e5e91762ac60 (diff) | |
| download | volse-hubzilla-a3796f9baaf9e97c4ca20147823f6182b003d02f.tar.gz volse-hubzilla-a3796f9baaf9e97c4ca20147823f6182b003d02f.tar.bz2 volse-hubzilla-a3796f9baaf9e97c4ca20147823f6182b003d02f.zip | |
SECURITY: public calendar leaks connection information (birthdays) when view_contacts is not allowed
Diffstat (limited to 'Zotlabs')
| -rw-r--r-- | Zotlabs/Module/Cal.php | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/Zotlabs/Module/Cal.php b/Zotlabs/Module/Cal.php index fd4169e68..b2e1c9235 100644 --- a/Zotlabs/Module/Cal.php +++ b/Zotlabs/Module/Cal.php @@ -209,6 +209,10 @@ class Cal extends \Zotlabs\Web\Controller { $adjust_start = datetime_convert('UTC', date_default_timezone_get(), $start); $adjust_finish = datetime_convert('UTC', date_default_timezone_get(), $finish); + + if(! perm_is_allowed(\App::$profile['uid'],get_observer_hash(),'view_contacts')) + $sql_extra .= " and etype != 'birthday' "; + if (x($_GET,'id')){ $r = q("SELECT event.*, item.plink, item.item_flags, item.author_xchan, item.owner_xchan from event left join item on resource_id = event_hash where resource_type = 'event' and event.uid = %d and event.id = %d $sql_extra limit 1", |