harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SECURITY: public calendar leaks connection information (birthdays) when view_contacts is not allowed

Browse Source
This commit is contained in:
zotlabs 2016-11-14 13:55:31 -08:00
parent bdc279a49b
commit a3796f9baa
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Zotlabs/Module/Cal.php
View File

@ -209,6 +209,10 @@ class Cal extends \Zotlabs\Web\Controller {
$adjust_start = datetime_convert('UTC', date_default_timezone_get(), $start);
$adjust_finish = datetime_convert('UTC', date_default_timezone_get(), $finish);
if(! perm_is_allowed(\App::$profile['uid'],get_observer_hash(),'view_contacts'))
$sql_extra .= " and etype != 'birthday' ";
if (x($_GET,'id')){
$r = q("SELECT event.*, item.plink, item.item_flags, item.author_xchan, item.owner_xchan
from event left join item on resource_id = event_hash where resource_type = 'event' and event.uid = %d and event.id = %d $sql_extra limit 1",