fix(calendar): Fix issue where a calendar's subscribed user can give …

…acl to another user
Alinto · Apr 3, 2024 · cb55413 · cb55413
1 parent 0fafda5
commit cb55413
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/SoObjects/SOGo/SOGoObject.m b/SoObjects/SOGo/SOGoObject.m
@@ -1399,6 +1399,10 @@ - (NSString *) _davAclActionFromQuery: (id <DOMDocument>) document
 	}
       else if ([nodeName isEqualToString: @"set-roles"])
 	{
+    // Disable Acl modifications if this is not the owner
+    if (![[[context activeUser] login] isEqualToString: owner])
+      return nil;
+
 	  // We support two ways of setting roles. The first one is, for example:
 	  //
 	  // <?xml version="1.0" encoding="UTF-8"?>
@@ -1426,8 +1430,7 @@ - (NSString *) _davAclActionFromQuery: (id <DOMDocument>) document
 	  allRoles = [self _davGetRolesFromRequest: node];
 	  for (i = 0; i < [allUsers count]; i++)
 	    { 
-        if ([[[context activeUser] login] isEqualToString: owner])
-	        [self setRoles: allRoles
+	      [self setRoles: allRoles
                      forUser: [allUsers objectAtIndex: i]];
 	    }
 	  result = @"";
@@ -1447,6 +1450,9 @@ - (NSString *) _davAclActionFromQuery: (id <DOMDocument>) document
       //
       else if ([nodeName isEqualToString: @"add-user"])
 	{
+    // Disable Acl modifications if this is not the owner
+    if (![[[context activeUser] login] isEqualToString: owner])
+      return nil;
 	  attrs = [node attributes];
 	  userAttr = [attrs namedItem: @"user"];
 	  user = [userAttr nodeValue];
@@ -1455,6 +1461,9 @@ - (NSString *) _davAclActionFromQuery: (id <DOMDocument>) document
 	}
       else if ([nodeName isEqualToString: @"add-users"])
 	{
+    // Disable Acl modifications if this is not the owner
+    if (![[[context activeUser] login] isEqualToString: owner])
+      return nil;
 	  attrs = [node attributes];
 	  userAttr = [attrs namedItem: @"users"];
 	  allUsers = [[userAttr nodeValue] componentsSeparatedByString: @","];
@@ -1475,6 +1484,9 @@ - (NSString *) _davAclActionFromQuery: (id <DOMDocument>) document
       //
       else if ([nodeName isEqualToString: @"remove-user"])
 	{
+    // Disable Acl modifications if this is not the owner
+    if (![[[context activeUser] login] isEqualToString: owner])
+      return nil;
 	  attrs = [node attributes];
 	  userAttr = [attrs namedItem: @"user"];
 	  user = [userAttr nodeValue];