From a3796f9baaf9e97c4ca20147823f6182b003d02f Mon Sep 17 00:00:00 2001
From: zotlabs <mike@macgirvin.com>
Date: Mon, 14 Nov 2016 13:55:31 -0800
Subject: SECURITY: public calendar leaks connection information (birthdays)
 when view_contacts is not allowed

---
 Zotlabs/Module/Cal.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'Zotlabs')

diff --git a/Zotlabs/Module/Cal.php b/Zotlabs/Module/Cal.php
index fd4169e68..b2e1c9235 100644
--- a/Zotlabs/Module/Cal.php
+++ b/Zotlabs/Module/Cal.php
@@ -209,6 +209,10 @@ class Cal extends \Zotlabs\Web\Controller {
 			$adjust_start = datetime_convert('UTC', date_default_timezone_get(), $start);
 			$adjust_finish = datetime_convert('UTC', date_default_timezone_get(), $finish);
 	
+
+			if(! perm_is_allowed(\App::$profile['uid'],get_observer_hash(),'view_contacts'))
+				$sql_extra .= " and etype != 'birthday' ";
+
 			if (x($_GET,'id')){
 			  	$r = q("SELECT event.*, item.plink, item.item_flags, item.author_xchan, item.owner_xchan
 	                                from event left join item on resource_id = event_hash where resource_type = 'event' and event.uid = %d and event.id = %d $sql_extra limit 1",
-- 
cgit v1.2.3