From e65944b81dcbab8ec6db8f83d713eb5a7d3aac16 Mon Sep 17 00:00:00 2001 From: Jan Schneider Date: Fri, 6 Feb 2015 21:39:32 +0100 Subject: [PATCH] Check for SHOW permissions (Bug #13837). --- nag/lib/Application.php | 6 +++++- nag/lib/Form/Task.php | 18 ++++++++++++------ 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/nag/lib/Application.php b/nag/lib/Application.php index e727a487081..1d835eefb83 100644 --- a/nag/lib/Application.php +++ b/nag/lib/Application.php @@ -325,7 +325,11 @@ public function topbarCreate(Horde_Tree_Renderer_Base $tree, $parent = null, ) )); - foreach (Nag::listTasklists(false, Horde_Perms::EDIT, false) as $name => $tasklist) { + $user = $registry->getAuth(); + foreach (Nag::listTasklists(false, Horde_Perms::SHOW, false) as $name => $tasklist) { + if (!$tasklist->hasPermission($user, Horde_Perms::EDIT)) { + continue; + } $tree->addNode(array( 'id' => $parent . $name . '__new', 'parent' => $parent . '__new', diff --git a/nag/lib/Form/Task.php b/nag/lib/Form/Task.php index 9629b3a9b47..0c8b099b080 100644 --- a/nag/lib/Form/Task.php +++ b/nag/lib/Form/Task.php @@ -30,10 +30,16 @@ class Nag_Form_Task extends Horde_Form */ public function __construct($vars, $title = '') { + global $injector, $nag_shares, $prefs, $registry; + parent::__construct($vars, $title); + $user = $registry->getAuth(); $tasklist_enums = array(); - foreach (Nag::listTasklists(false, Horde_Perms::EDIT, false) as $tl_id => $tl) { + foreach (Nag::listTasklists(false, Horde_Perms::SHOW, false) as $tl_id => $tl) { + if (!$tl->hasPermission($user, Horde_Perms::EDIT)) { + continue; + } $tasklist_enums[$tl_id] = Nag::getLabel($tl); } $tasklist = $vars->get('tasklist_id'); @@ -60,7 +66,7 @@ public function __construct($vars, $title = '') $this->setSection(self::SECTION_GENERAL, _("General")); $this->addVariable(_("Name"), 'name', 'text', true); - if (!$GLOBALS['prefs']->isLocked('default_tasklist') && + if (!$prefs->isLocked('default_tasklist') && count($tasklist_enums) > 1) { $v = $this->addVariable( _("Task List"), 'tasklist_id', 'enum', true, false, false, @@ -94,14 +100,14 @@ public function __construct($vars, $title = '') // Only display the delete button if this is an existing task and the // user has HORDE_PERMS::DELETE - $share = $GLOBALS['nag_shares']->getShare($tasklist); - $delete = $share->hasPermission($GLOBALS['registry']->getAuth(), Horde_Perms::DELETE) && $vars->get('task_id'); + $share = $nag_shares->getShare($tasklist); + $delete = $share->hasPermission($registry->getAuth(), Horde_Perms::DELETE) && $vars->get('task_id'); if (!$vars->get('mobile')) { $users = $share->listUsers(Horde_Perms::READ); $groups = $share->listGroups(Horde_Perms::READ); if (count($groups)) { - $horde_group = $GLOBALS['injector']->getInstance('Horde_Group'); + $horde_group = $injector->getInstance('Horde_Group'); foreach ($groups as $group) { $users = array_merge($users, $horde_group->listUsers($group)); @@ -110,7 +116,7 @@ public function __construct($vars, $title = '') $users = array_flip($users); if (count($users)) { foreach (array_keys($users) as $user) { - $identity = $GLOBALS['injector']->getInstance('Horde_Core_Factory_Identity')->create($user); + $identity = $injector->getInstance('Horde_Core_Factory_Identity')->create($user); $fullname = $identity->getValue('fullname'); $users[$user] = strlen($fullname) ? $fullname : $user; }