From 2c678101fcb5a73097cd409a832710bfbc9c916f Mon Sep 17 00:00:00 2001
From: Francis Lachapelle <flachapelle@inverse.ca>
Date: Thu, 6 Feb 2014 14:21:36 -0500
Subject: [PATCH] Fix handling of ACLs with multiple groups

Fixes #1854
---
 NEWS                                          |  1 +
 .../Appointments/SOGoAppointmentFolder.m      | 74 +++++++++++++++----
 2 files changed, 61 insertions(+), 14 deletions(-)

diff --git a/NEWS b/NEWS
index cec4e572f4..1c02eb6d6d 100644
--- a/NEWS
+++ b/NEWS
@@ -39,6 +39,7 @@ Bug fixes
  - respect the maximum number of bookings when viewing the freebusy information of a resource (#2560)
  - encode HTML entities when forwarding an HTML message inline in plain text composition mode (#2411)
  - encode HTML entities in JSON data returned by Calendar module (#2598)
+ - fixed handling of ACLs on shared calendars with multiple groups (#1854)
 
 2.1.1b (2013-12-04)
 -------------------
diff --git a/SoObjects/Appointments/SOGoAppointmentFolder.m b/SoObjects/Appointments/SOGoAppointmentFolder.m
index 03cbb118ba..a98d7dd78b 100644
--- a/SoObjects/Appointments/SOGoAppointmentFolder.m
+++ b/SoObjects/Appointments/SOGoAppointmentFolder.m
@@ -573,17 +573,27 @@ - (NSString *) aclSQLListingFilter
     }
   grantedCount = [grantedClasses count];
   if (grantedCount == 3)
-    filter = @"";
+    {
+      // User have access to all three classifications
+      filter = @"";
+    }
   else if (grantedCount == 2)
-    filter
-      = [NSString stringWithFormat: @"c_classification != %@",
-                  [deniedClasses objectAtIndex: 0]];
+    {
+      // User has access to all but one of the classifications
+      filter = [NSString stringWithFormat: @"c_classification != %@",
+                         [deniedClasses objectAtIndex: 0]];
+    }
   else if (grantedCount == 1)
-    filter
-      = [NSString stringWithFormat: @"c_classification = %@",
-                  [grantedClasses objectAtIndex: 0]];
+    {
+      // User has access to only one classification
+      filter = [NSString stringWithFormat: @"c_classification = %@",
+                         [grantedClasses objectAtIndex: 0]];
+    }
   else
-    filter = nil;
+    {
+      // User has access to no classification
+      filter = nil;
+    }
 
   return filter;
 }
@@ -676,7 +686,6 @@ - (NSArray *) bareFetchFields: (NSArray *) fields
         qualifier = nil;
 
       /* fetch non-recurrent apts first */
-
       records = [folder fetchFields: fields matchingQualifier: qualifier];
     }
   else
@@ -871,7 +880,6 @@ - (void) _appendCycleException: (iCalRepeatableEntityObject *) component
 {
   NSCalendarDate *recurrenceId;
   NSMutableDictionary *newRecord;
-  NSDictionary *oldRecord;
   NGCalendarDateRange *newRecordRange;
   NSComparisonResult compare;
   int recordIndex, secondsOffsetFromGMT;
@@ -2533,7 +2541,7 @@ - (void) initializeQuickTablesAclsInContext: (WOContext *) localContext
   unsigned int permStrIndex;
 
   [super initializeQuickTablesAclsInContext: localContext];
-  /* We assume "userIsOwner" will be set after calling the super method. */
+  /* We assume "userCanAccessAllObjects" will be set after calling the super method. */
   if (!userCanAccessAllObjects)
     {
       login = [[localContext activeUser] login];
@@ -3123,6 +3131,7 @@ - (NSArray *) aclsForUser: (NSString *) uid
 {
   NSMutableArray *aclsForUser;
   NSArray *superAcls;
+  static NSArray *rolesClassifications = nil;
 
   superAcls = [super aclsForUser: uid forObjectAtPath: objectPathArray];
   if ([uid isEqualToString: [self defaultUserID]])
@@ -3137,14 +3146,51 @@ - (NSArray *) aclsForUser: (NSString *) uid
       [aclsForUser addObject: SoRole_Authenticated];
     }
   else
-    aclsForUser = (NSMutableArray *) superAcls;
+    {
+      aclsForUser = [NSMutableArray array];
+      if (!rolesClassifications)
+        {
+          rolesClassifications =
+            [NSArray arrayWithObjects:
+                     [NSArray arrayWithObjects:
+                              SOGoCalendarRole_PublicModifier,
+                              SOGoCalendarRole_PublicResponder,
+                              SOGoCalendarRole_PublicViewer,
+                              SOGoCalendarRole_PublicDAndTViewer,
+                              nil],
+                     [NSArray arrayWithObjects:
+                              SOGoCalendarRole_ConfidentialModifier,
+                              SOGoCalendarRole_ConfidentialResponder,
+                              SOGoCalendarRole_ConfidentialViewer,
+                              SOGoCalendarRole_ConfidentialDAndTViewer,
+                              nil],
+                     [NSArray arrayWithObjects:
+                              SOGoCalendarRole_PrivateModifier,
+                              SOGoCalendarRole_PrivateResponder,
+                              SOGoCalendarRole_PrivateViewer,
+                              SOGoCalendarRole_PrivateDAndTViewer,
+                              nil],
+                     [NSArray arrayWithObject: SOGoRole_ObjectCreator],
+                     [NSArray arrayWithObject: SOGoRole_ObjectEraser],
+                     nil];
+        }
+      // When a user is a member of many groups for which there are access rights, multiple access rights
+      // can be returned for each classification. In this case, we only keep the highest access right.
+      int i, count = [rolesClassifications count];
+      NSString *role;
+      for (i = 0; i < count; i++)
+        {
+          role = [[rolesClassifications objectAtIndex: i] firstObjectCommonWithArray: superAcls];
+          if (role)
+            [aclsForUser addObject: role];
+        }
+    }
 
   return aclsForUser;
 }
 
 /* caldav-proxy */
-- (SOGoAppointmentProxyPermission)
-     proxyPermissionForUserWithLogin: (NSString *) login
+- (SOGoAppointmentProxyPermission) proxyPermissionForUserWithLogin: (NSString *) login
 {
   SOGoAppointmentProxyPermission permission;
   NSArray *roles;