ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

forbid changing the displayname or color of the calendar/deck when the user doesn't has the "manage" permissions

Browse Source 
Signed-off-by: Bjoern Schiessle <bjoern@nextcloud.com>
This commit is contained in:
Bjoern Schiessle
2023-04-26 21:45:23 +02:00
committed by backportbot-nextcloud[bot]
parent 43bec159ff
commit 6684023424
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/DAV/Calendar.php
View File

@@ -188,12 +188,18 @@ class Calendar extends ExternalCalendar {
foreach ($properties as $key => $value) {
switch ($key) {
case '{DAV:}displayname':
if (!$this->backend->checkBoardPermission($this->board->getId(), Acl::PERMISSION_MANAGE)) {
throw new Forbidden('no permission to change the displayname');
}
if (mb_strpos($value, 'Deck: ') === 0) {
$value = mb_substr($value, strlen('Deck: '));
}
$this->board->setTitle($value);
break;
case '{http://apple.com/ns/ical/}calendar-color':
if (!$this->backend->checkBoardPermission($this->board->getId(), Acl::PERMISSION_MANAGE)) {
throw new Forbidden('no permission to change the calendar color');
}
$color = substr($value, 1, 6);
if (!preg_match('/[a-f0-9]{6}/i', $color)) {
throw new InvalidDataException('No valid color provided');