hi!
starting on Patrick Mulrooney's work in in
https://sourceforge.net/p/davical/patches/5/ I've attached a set of
patches (based on davical/stretch-backports,now 1.1.8-1+deb10u1~bpo9+1)
to limit users view to own user and users of groups its member of.
gre3tings, Klaus
--- /usr/share/davical/inc/always.php.in.orig 2019-01-30 20:52:46.000000000 +0100
+++ /usr/share/davical/inc/always.php.in 2020-05-02 18:35:22.442020949 +0200
@@ -93,6 +93,7 @@
$c->base_url = preg_replace('#/[^/]+\.php.*$#', '', $_SERVER['SCRIPT_NAME']);
$c->base_directory = preg_replace('#/[^/]*$#', '', $_SERVER['DOCUMENT_ROOT']);
$c->default_privileges = array('read-free-busy', 'schedule-deliver');
+$c->list_everyone = true;
$c->enable_auto_schedule = true;
--- /usr/share/davical/htdocs/always.php.orig 2020-04-21 23:23:53.000000000 +0200
+++ /usr/share/davical/htdocs/always.php 2020-05-02 18:34:19.873738736 +0200
@@ -134,6 +134,7 @@
$c->base_url = preg_replace('#/[^/]+\.php.*$#', '', $_SERVER['SCRIPT_NAME']);
$c->base_directory = preg_replace('#/[^/]*$#', '', $_SERVER['DOCUMENT_ROOT']);
$c->default_privileges = array('read-free-busy', 'schedule-deliver');
+$c->list_everyone = true;
$c->enable_auto_schedule = true;
--- /usr/share/davical/inc/ui/collection-edit.php.orig 2020-04-21 23:23:53.000000000 +0200
+++ /usr/share/davical/inc/ui/collection-edit.php 2020-05-02 18:28:50.600242993 +0200
@@ -416,7 +416,13 @@
$grantrow = new Editor("Grants", "grants");
$grantrow->SetSubmitName( 'savegrantrow' );
- $grantrow->SetLookup( 'to_principal', 'SELECT principal_id, displayname FROM dav_principal WHERE principal_id NOT IN (SELECT member_id FROM group_member WHERE group_id = '.$id.') ORDER BY displayname' );
+ $limit_grantrow = '';
+ if ( ! $c->list_everyone ) {
+ if ( ! $session->AllowedTo( "Admin" ) ) {
+ $limit_grantrow = 'AND (principal_id = \''.$session->principal_id.'\' or principal_id in (select member_id from group_member where group_id in (select group_id from group_member where member_id = \''.$session->principal_id.'\')) or principal_id in (select group_id from group_member where member_id = \''.$session->principal_id.'\'))';
+ }
+ }
+ $grantrow->SetLookup( 'to_principal', 'SELECT principal_id, displayname FROM dav_principal WHERE principal_id NOT IN (SELECT member_id FROM group_member WHERE group_id = '.$id.') '.$limit_grantrow.' ORDER BY displayname' );
if ( $can_write_collection ) {
if ( $grantrow->IsSubmit() ) {
$_POST['by_collection'] = $id;
--- /etc/davical/config.php.orig 2020-04-21 23:23:53.000000000 +0200
+++ /etc/davical/config.php 2020-05-02 18:23:54.486873745 +0200
@@ -113,6 +113,14 @@
// $c->local_styles = array();
// $c->print_styles = array();
+/**
+* Allow users to see all accounts listed, or only their account and
+* the accounts they have a relationship to in the web interface.
+* Admins will still be able to see all accounts.
+* Default: true
+*/
+// $c->list_everyone = false;
+
/***************************************************************************
* *
--- /usr/share/davical/inc/ui/principal-browse.php.orig 2016-12-28 10:35:25.000000000 +0100
+++ /usr/share/davical/inc/ui/principal-browse.php 2020-05-02 17:23:27.106920933 +0200
@@ -35,6 +35,16 @@
$browser->AndWhere( 'type_id = '.$principal_type );
}
+if ( ! $c->list_everyone ) {
+ if ( ! $session->AllowedTo( "Admin" ) ) {
+ if ( isset($principal_type) && ( $principal_type == 1 || $principal_type == 2 ) ) {
+ $browser->AndWhere( '(principal_id = \''.$session->principal_id.'\' or principal_id in (select member_id from group_member where group_id in (select group_id from group_member where member_id = \''.$session->principal_id.'\')))' );
+ }
+ if ( isset($principal_type) && $principal_type == 3 ) {
+ $browser->AndWhere( '(principal_id = \''.$session->principal_id.'\' or principal_id in (select group_id from group_member where member_id = \''.$session->principal_id.'\'))' );
+ }
+ }
+}
$c->page_title = $browser->Title();
--- /usr/share/davical/inc/ui/principal-edit.php.orig 2020-04-21 23:23:53.000000000 +0200
+++ /usr/share/davical/inc/ui/principal-edit.php 2020-05-02 18:06:02.729799715 +0200
@@ -615,7 +615,7 @@
function grant_row_editor() {
- global $c, $id, $editor, $can_write_principal, $privilege_names;
+ global $c, $id, $editor, $can_write_principal, $privilege_names, $session;
$grantrow = new Editor("Grants", "grants");
$grantrow->SetSubmitName( 'savegrantrow' );
@@ -623,7 +623,13 @@
if ( isset($_GET['edit_grant']) ) {
$edit_grant_clause = ' AND to_principal != '.intval($_GET['edit_grant']);
}
- $grantrow->SetLookup( 'to_principal', 'SELECT principal_id, displayname FROM dav_principal WHERE user_active AND principal_id NOT IN (SELECT to_principal FROM grants WHERE by_principal = '.$id.$edit_grant_clause.') ORDER BY fullname' );
+ $limit_grantrow = '';
+ if ( ! $c->list_everyone ) {
+ if ( ! $session->AllowedTo( "Admin" ) ) {
+ $limit_grantrow = 'AND (principal_id = \''.$session->principal_id.'\' or principal_id in (select member_id from group_member where group_id in (select group_id from group_member where member_id = \''.$session->principal_id.'\')) or principal_id in (select group_id from group_member where member_id = \''.$session->principal_id.'\'))';
+ }
+ }
+ $grantrow->SetLookup( 'to_principal', 'SELECT principal_id, displayname FROM dav_principal WHERE user_active AND principal_id NOT IN (SELECT to_principal FROM grants WHERE by_principal = '.$id.$edit_grant_clause.') '.$limit_grantrow.' ORDER BY fullname' );
if ( $can_write_principal ) {
if ( $grantrow->IsSubmit() ) {
if ( $grantrow->IsUpdate() )