hi!

starting on Patrick Mulrooney's work in in https://sourceforge.net/p/davical/patches/5/ I've attached a set of patches (based on davical/stretch-backports,now 1.1.8-1+deb10u1~bpo9+1) to limit users view to own user and users of groups its member of.

gre3tings, Klaus
--- /usr/share/davical/inc/always.php.in.orig	2019-01-30 20:52:46.000000000 +0100
+++ /usr/share/davical/inc/always.php.in	2020-05-02 18:35:22.442020949 +0200
@@ -93,6 +93,7 @@
 $c->base_url = preg_replace('#/[^/]+\.php.*$#', '', $_SERVER['SCRIPT_NAME']);
 $c->base_directory = preg_replace('#/[^/]*$#', '', $_SERVER['DOCUMENT_ROOT']);
 $c->default_privileges = array('read-free-busy', 'schedule-deliver');
+$c->list_everyone = true;
 
 $c->enable_auto_schedule = true;
 
--- /usr/share/davical/htdocs/always.php.orig	2020-04-21 23:23:53.000000000 +0200
+++ /usr/share/davical/htdocs/always.php	2020-05-02 18:34:19.873738736 +0200
@@ -134,6 +134,7 @@
 $c->base_url = preg_replace('#/[^/]+\.php.*$#', '', $_SERVER['SCRIPT_NAME']);
 $c->base_directory = preg_replace('#/[^/]*$#', '', $_SERVER['DOCUMENT_ROOT']);
 $c->default_privileges = array('read-free-busy', 'schedule-deliver');
+$c->list_everyone = true;
 
 $c->enable_auto_schedule = true;
 
--- /usr/share/davical/inc/ui/collection-edit.php.orig	2020-04-21 23:23:53.000000000 +0200
+++ /usr/share/davical/inc/ui/collection-edit.php	2020-05-02 18:28:50.600242993 +0200
@@ -416,7 +416,13 @@
 
   $grantrow = new Editor("Grants", "grants");
   $grantrow->SetSubmitName( 'savegrantrow' );
-  $grantrow->SetLookup( 'to_principal', 'SELECT principal_id, displayname FROM dav_principal WHERE principal_id NOT IN (SELECT member_id FROM group_member WHERE group_id = '.$id.') ORDER BY displayname' );
+  $limit_grantrow = '';
+  if ( ! $c->list_everyone ) {
+    if ( ! $session->AllowedTo( "Admin" ) ) {
+      $limit_grantrow = 'AND (principal_id = \''.$session->principal_id.'\' or principal_id in (select member_id from group_member where group_id in (select group_id from group_member where member_id = \''.$session->principal_id.'\')) or principal_id in (select group_id from group_member where member_id = \''.$session->principal_id.'\'))';
+    }
+  }
+  $grantrow->SetLookup( 'to_principal', 'SELECT principal_id, displayname FROM dav_principal WHERE principal_id NOT IN (SELECT member_id FROM group_member WHERE group_id = '.$id.') '.$limit_grantrow.' ORDER BY displayname' );
   if ( $can_write_collection ) {
     if ( $grantrow->IsSubmit() ) {
       $_POST['by_collection'] = $id;
--- /etc/davical/config.php.orig	2020-04-21 23:23:53.000000000 +0200
+++ /etc/davical/config.php	2020-05-02 18:23:54.486873745 +0200
@@ -113,6 +113,14 @@
 // $c->local_styles = array();
 // $c->print_styles = array();
 
+/**
+* Allow users to see all accounts listed, or only their account and
+* the accounts they have a relationship to in the web interface. 
+* Admins will still be able to see all accounts.
+* Default: true
+*/
+// $c->list_everyone = false;
+
 
 /***************************************************************************
 *                                                                          *
--- /usr/share/davical/inc/ui/principal-browse.php.orig	2016-12-28 10:35:25.000000000 +0100
+++ /usr/share/davical/inc/ui/principal-browse.php	2020-05-02 17:23:27.106920933 +0200
@@ -35,6 +35,16 @@
   $browser->AndWhere( 'type_id = '.$principal_type );
 }
 
+if ( ! $c->list_everyone ) {
+  if ( ! $session->AllowedTo( "Admin" ) ) { 
+    if ( isset($principal_type) && ( $principal_type == 1 || $principal_type == 2 ) ) {
+      $browser->AndWhere( '(principal_id = \''.$session->principal_id.'\' or principal_id in (select member_id from group_member where group_id in (select group_id from group_member where member_id = \''.$session->principal_id.'\')))' );
+    }
+    if ( isset($principal_type) && $principal_type == 3 ) {
+      $browser->AndWhere( '(principal_id = \''.$session->principal_id.'\' or principal_id in (select group_id from group_member where member_id = \''.$session->principal_id.'\'))' );
+    }
+  }
+}
 
 $c->page_title = $browser->Title();
 
--- /usr/share/davical/inc/ui/principal-edit.php.orig	2020-04-21 23:23:53.000000000 +0200
+++ /usr/share/davical/inc/ui/principal-edit.php	2020-05-02 18:06:02.729799715 +0200
@@ -615,7 +615,7 @@
 
 
 function grant_row_editor() {
-  global $c, $id, $editor, $can_write_principal, $privilege_names;
+  global $c, $id, $editor, $can_write_principal, $privilege_names, $session;
 
   $grantrow = new Editor("Grants", "grants");
   $grantrow->SetSubmitName( 'savegrantrow' );
@@ -623,7 +623,13 @@
   if ( isset($_GET['edit_grant']) ) {
     $edit_grant_clause = ' AND to_principal != '.intval($_GET['edit_grant']);
   }
-  $grantrow->SetLookup( 'to_principal', 'SELECT principal_id, displayname FROM dav_principal WHERE user_active AND principal_id NOT IN (SELECT to_principal FROM grants WHERE by_principal = '.$id.$edit_grant_clause.') ORDER BY fullname' );
+  $limit_grantrow = '';
+  if ( ! $c->list_everyone ) {
+    if ( ! $session->AllowedTo( "Admin" ) ) {
+      $limit_grantrow = 'AND (principal_id = \''.$session->principal_id.'\' or principal_id in (select member_id from group_member where group_id in (select group_id from group_member where member_id = \''.$session->principal_id.'\')) or principal_id in (select group_id from group_member where member_id = \''.$session->principal_id.'\'))';
+    }
+  }
+  $grantrow->SetLookup( 'to_principal', 'SELECT principal_id, displayname FROM dav_principal WHERE user_active AND principal_id NOT IN (SELECT to_principal FROM grants WHERE by_principal = '.$id.$edit_grant_clause.') '.$limit_grantrow.' ORDER BY fullname' );
   if ( $can_write_principal ) {
     if ( $grantrow->IsSubmit() ) {
       if ( $grantrow->IsUpdate() )

Reply via email to