From d97fe80e48e844833987911e4440fb95c458371a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Schie=C3=9Fle?= Date: Tue, 25 Apr 2023 22:09:33 +0200 Subject: [PATCH 1/2] Allow user to toggle visibility of the calendar of deck boards MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The calendar object needs to be exposed with "write" properties in order to allow users to hide/show the corresponding calendar in the calendar app. It doesn't has any affects on the general permissions for the whole board or the tasks. As soon as you select a task you jump to the deck app where the normal deck permissions are applied. fixes: https://github.com/nextcloud/deck/issues/4618 Signed-off-by: Björn Schießle --- lib/DAV/Calendar.php | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/lib/DAV/Calendar.php b/lib/DAV/Calendar.php index 7e02013b5..3457e6c10 100644 --- a/lib/DAV/Calendar.php +++ b/lib/DAV/Calendar.php @@ -59,20 +59,21 @@ class Calendar extends ExternalCalendar { } public function getACL() { + // the calendar should always have the read and the write-properties permissions + // write-properties is needed to allow the user to toggle the visibility of shared deck calendars $acl = [ [ 'privilege' => '{DAV:}read', 'principal' => $this->getOwner(), 'protected' => true, - ] - ]; - if ($this->backend->checkBoardPermission($this->board->getId(), Acl::PERMISSION_MANAGE)) { - $acl[] = [ + ], + [ 'privilege' => '{DAV:}write-properties', 'principal' => $this->getOwner(), 'protected' => true, - ]; - } + ] + ]; + return $acl; } From 7a262c5188116b8bbc0836df5378044e0960f5a4 Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Wed, 26 Apr 2023 21:45:23 +0200 Subject: [PATCH 2/2] forbid changing the displayname or color of the calendar/deck when the user doesn't has the "manage" permissions Signed-off-by: Bjoern Schiessle --- lib/DAV/Calendar.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/DAV/Calendar.php b/lib/DAV/Calendar.php index 3457e6c10..e34b77771 100644 --- a/lib/DAV/Calendar.php +++ b/lib/DAV/Calendar.php @@ -188,12 +188,18 @@ class Calendar extends ExternalCalendar { foreach ($properties as $key => $value) { switch ($key) { case '{DAV:}displayname': + if (!$this->backend->checkBoardPermission($this->board->getId(), Acl::PERMISSION_MANAGE)) { + throw new Forbidden('no permission to change the displayname'); + } if (mb_strpos($value, 'Deck: ') === 0) { $value = mb_substr($value, strlen('Deck: ')); } $this->board->setTitle($value); break; case '{http://apple.com/ns/ical/}calendar-color': + if (!$this->backend->checkBoardPermission($this->board->getId(), Acl::PERMISSION_MANAGE)) { + throw new Forbidden('no permission to change the calendar color'); + } $color = substr($value, 1, 6); if (!preg_match('/[a-f0-9]{6}/i', $color)) { throw new InvalidDataException('No valid color provided');