[3733] | 1 | <?php |
---|
| 2 | /** |
---|
| 3 | * CalDAV Server - handle GET method |
---|
| 4 | * |
---|
| 5 | * @package davical |
---|
| 6 | * @subpackage caldav |
---|
| 7 | * @author Andrew McMillan <andrew@mcmillan.net.nz> |
---|
| 8 | * @copyright Catalyst .Net Ltd, Morphoss Ltd <http://www.morphoss.com/> |
---|
| 9 | * @license http://gnu.org/copyleft/gpl.html GNU GPL v2 or later |
---|
| 10 | */ |
---|
| 11 | dbg_error_log("get", "GET method handler"); |
---|
| 12 | |
---|
| 13 | require_once("iCalendar.php"); |
---|
| 14 | require_once("DAVResource.php"); |
---|
| 15 | |
---|
| 16 | $dav_resource = new DAVResource($request->path); |
---|
| 17 | $dav_resource->NeedPrivilege( array('urn:ietf:params:xml:ns:caldav:read-free-busy','DAV::read') ); |
---|
| 18 | |
---|
| 19 | if ( ! $dav_resource->Exists() ) { |
---|
| 20 | $request->DoResponse( 404, translate("Resource Not Found.") ); |
---|
| 21 | } |
---|
| 22 | |
---|
| 23 | function obfuscated_event( $icalendar ) { |
---|
| 24 | // The user is not admin / owner of this calendar looking at his calendar and can not admin the other cal, |
---|
| 25 | // or maybe they don't have *read* access but they got here, so they must at least have free/busy access |
---|
| 26 | // so we will present an obfuscated version of the event that just says "Busy" (translated :-) |
---|
| 27 | $confidential = new iCalComponent(); |
---|
| 28 | $confidential->SetType($icalendar->GetType()); |
---|
| 29 | $confidential->AddProperty( 'SUMMARY', translate('Busy') ); |
---|
| 30 | $confidential->AddProperty( 'CLASS', 'CONFIDENTIAL' ); |
---|
| 31 | $confidential->SetProperties( $icalendar->GetProperties('DTSTART'), 'DTSTART' ); |
---|
| 32 | $confidential->SetProperties( $icalendar->GetProperties('RRULE'), 'RRULE' ); |
---|
| 33 | $confidential->SetProperties( $icalendar->GetProperties('DURATION'), 'DURATION' ); |
---|
| 34 | $confidential->SetProperties( $icalendar->GetProperties('DTEND'), 'DTEND' ); |
---|
| 35 | $confidential->SetProperties( $icalendar->GetProperties('UID'), 'UID' ); |
---|
| 36 | $confidential->SetProperties( $icalendar->GetProperties('CREATED'), 'CREATED' ); |
---|
| 37 | |
---|
| 38 | return $confidential; |
---|
| 39 | } |
---|
| 40 | |
---|
| 41 | |
---|
| 42 | if ( $dav_resource->IsCollection() ) { |
---|
| 43 | if ( ! $dav_resource->IsCalendar() && !(isset($c->get_includes_subcollections) && $c->get_includes_subcollections) ) { |
---|
| 44 | /** RFC2616 says we must send an Allow header if we send a 405 */ |
---|
| 45 | header("Allow: PROPFIND,PROPPATCH,OPTIONS,MKCOL,REPORT,DELETE"); |
---|
| 46 | $request->DoResponse( 405, translate("GET requests on collections are only supported for calendars.") ); |
---|
| 47 | } |
---|
| 48 | |
---|
| 49 | /** |
---|
| 50 | * The CalDAV specification does not define GET on a collection, but typically this is |
---|
| 51 | * used as a .ics download for the whole collection, which is what we do also. |
---|
| 52 | */ |
---|
| 53 | $sql = 'SELECT caldav_data, class, caldav_type, calendar_item.user_no, logged_user '; |
---|
| 54 | $sql .= 'FROM collection INNER JOIN caldav_data USING(collection_id) INNER JOIN calendar_item USING ( dav_id ) WHERE '; |
---|
| 55 | if ( isset($c->get_includes_subcollections) && $c->get_includes_subcollections ) { |
---|
| 56 | $sql .= '(collection.dav_name ~ :path_match '; |
---|
| 57 | $sql .= 'OR collection.collection_id IN (SELECT bound_source_id FROM dav_binding WHERE dav_binding.dav_name ~ :path_match)) '; |
---|
| 58 | $params = array( ':path_match' => '^'.$request->path ); |
---|
| 59 | } |
---|
| 60 | else { |
---|
| 61 | $sql .= 'caldav_data.collection_id = :collection_id '; |
---|
| 62 | $params = array( ':collection_id' => $dav_resource->resource_id() ); |
---|
| 63 | } |
---|
| 64 | if ( isset($c->strict_result_ordering) && $c->strict_result_ordering ) $sql .= ' ORDER BY dav_id'; |
---|
| 65 | |
---|
| 66 | $qry = new AwlQuery( $sql, $params ); |
---|
| 67 | if ( !$qry->Exec("GET",__LINE__,__FILE__) ) { |
---|
| 68 | $request->DoResponse( 500, translate("Database Error") ); |
---|
| 69 | } |
---|
| 70 | |
---|
| 71 | /** |
---|
| 72 | * Here we are constructing a whole calendar response for this collection, including |
---|
| 73 | * the timezones that are referred to by the events we have selected. |
---|
| 74 | */ |
---|
| 75 | $vcal = new iCalComponent(); |
---|
| 76 | $vcal->VCalendar(); |
---|
| 77 | $displayname = $dav_resource->GetProperty('displayname'); |
---|
| 78 | if ( isset($displayname) ) { |
---|
| 79 | $vcal->AddProperty("X-WR-CALNAME", $displayname); |
---|
| 80 | } |
---|
| 81 | |
---|
| 82 | $need_zones = array(); |
---|
| 83 | $timezones = array(); |
---|
| 84 | while( $event = $qry->Fetch() ) { |
---|
| 85 | $ical = new iCalComponent( $event->caldav_data ); |
---|
| 86 | |
---|
| 87 | /** Save the timezone component(s) into a minimal set for inclusion later */ |
---|
| 88 | $event_zones = $ical->GetComponents('VTIMEZONE',true); |
---|
| 89 | foreach( $event_zones AS $k => $tz ) { |
---|
| 90 | $tzid = $tz->GetPValue('TZID'); |
---|
| 91 | if ( !isset($tzid) ) continue ; |
---|
| 92 | if ( $tzid != '' && !isset($timezones[$tzid]) ) { |
---|
| 93 | $timezones[$tzid] = $tz; |
---|
| 94 | } |
---|
| 95 | } |
---|
| 96 | |
---|
| 97 | /** Work out which ones are actually used here */ |
---|
| 98 | $comps = $ical->GetComponents('VTIMEZONE',false); |
---|
| 99 | foreach( $comps AS $k => $comp ) { |
---|
| 100 | $tzid = $comp->GetPParamValue('DTSTART', 'TZID'); if ( isset($tzid) && !isset($need_zones[$tzid]) ) $need_zones[$tzid] = 1; |
---|
| 101 | $tzid = $comp->GetPParamValue('DUE', 'TZID'); if ( isset($tzid) && !isset($need_zones[$tzid]) ) $need_zones[$tzid] = 1; |
---|
| 102 | $tzid = $comp->GetPParamValue('DTEND', 'TZID'); if ( isset($tzid) && !isset($need_zones[$tzid]) ) $need_zones[$tzid] = 1; |
---|
| 103 | |
---|
| 104 | if ( $dav_resource->HavePrivilegeTo('all',false) || $session->user_no == $event->user_no || $session->user_no == $event->logged_user |
---|
| 105 | || ( $c->allow_get_email_visibility && $comp->IsAttendee($session->email) ) ) { |
---|
| 106 | /** |
---|
| 107 | * These people get to see all of the event, and they should always |
---|
| 108 | * get any alarms as well. |
---|
| 109 | */ |
---|
| 110 | $vcal->AddComponent($comp); |
---|
| 111 | continue; |
---|
| 112 | } |
---|
| 113 | /** No visibility even of the existence of these events if they aren't admin/owner/attendee */ |
---|
| 114 | if ( $event->class == 'PRIVATE' ) continue; |
---|
| 115 | |
---|
| 116 | if ( ! $dav_resource->HavePrivilegeTo('DAV::read') || $event->class == 'CONFIDENTIAL' ) { |
---|
| 117 | $vcal->AddComponent(obfuscated_event($comp)); |
---|
| 118 | } |
---|
| 119 | elseif ( isset($c->hide_alarm) && $c->hide_alarm ) { |
---|
| 120 | // Otherwise we hide the alarms (if configured to) |
---|
| 121 | $comp->ClearComponents('VALARM'); |
---|
| 122 | $vcal->AddComponent($comp); |
---|
| 123 | } |
---|
| 124 | else { |
---|
| 125 | $vcal->AddComponent($comp); |
---|
| 126 | } |
---|
| 127 | } |
---|
| 128 | } |
---|
| 129 | |
---|
| 130 | /** Put the timezones on there that we need */ |
---|
| 131 | foreach( $need_zones AS $tzid => $v ) { |
---|
| 132 | if ( isset($timezones[$tzid]) ) $vcal->AddComponent($timezones[$tzid]); |
---|
| 133 | } |
---|
| 134 | |
---|
| 135 | $response = $vcal->Render(); |
---|
| 136 | header( 'Content-Length: '.strlen($response) ); |
---|
| 137 | header( 'Etag: '.$dav_resource->unique_tag() ); |
---|
| 138 | $request->DoResponse( 200, ($request->method == 'HEAD' ? '' : $response), 'text/calendar; charset="utf-8"' ); |
---|
| 139 | } |
---|
| 140 | |
---|
| 141 | |
---|
| 142 | // Just a single event then |
---|
| 143 | |
---|
| 144 | $resource = $dav_resource->resource(); |
---|
| 145 | $ic = new iCalComponent( $resource->caldav_data ); |
---|
| 146 | |
---|
| 147 | /** Default deny... */ |
---|
| 148 | $allowed = false; |
---|
| 149 | if ( $dav_resource->HavePrivilegeTo('all', false) || $session->user_no == $resource->user_no || $session->user_no == $resource->logged_user |
---|
| 150 | || ( $c->allow_get_email_visibility && $ic->IsAttendee($session->email) ) ) { |
---|
| 151 | /** |
---|
| 152 | * These people get to see all of the event, and they should always |
---|
| 153 | * get any alarms as well. |
---|
| 154 | */ |
---|
| 155 | $allowed = true; |
---|
| 156 | } |
---|
| 157 | else if ( $resource->class != 'PRIVATE' ) { |
---|
| 158 | $allowed = true; // but we may well obfuscate it below |
---|
| 159 | if ( ! $dav_resource->HavePrivilegeTo('DAV::read') || ( $resource->class == 'CONFIDENTIAL' && ! $request->HavePrivilegeTo('DAV::write-content') ) ) { |
---|
| 160 | $ical = new iCalComponent( $resource->caldav_data ); |
---|
| 161 | $comps = $ical->GetComponents('VTIMEZONE',false); |
---|
| 162 | $confidential = obfuscated_event($comps[0]); |
---|
| 163 | $ical->SetComponents( array($confidential), $resource->caldav_type ); |
---|
| 164 | $resource->caldav_data = $ical->Render(); |
---|
| 165 | } |
---|
| 166 | } |
---|
| 167 | // else $resource->class == 'PRIVATE' and this person may not see it. |
---|
| 168 | |
---|
| 169 | if ( ! $allowed ) { |
---|
| 170 | $request->DoResponse( 403, translate("Forbidden") ); |
---|
| 171 | } |
---|
| 172 | |
---|
| 173 | header( 'Etag: "'.$resource->dav_etag.'"' ); |
---|
| 174 | header( 'Content-Length: '.strlen($resource->caldav_data) ); |
---|
| 175 | |
---|
| 176 | $contenttype = 'text/plain'; |
---|
| 177 | switch( $resource->caldav_type ) { |
---|
| 178 | case 'VJOURNAL': |
---|
| 179 | case 'VEVENT': |
---|
| 180 | case 'VTODO': |
---|
| 181 | $contenttype = 'text/calendar'; |
---|
| 182 | break; |
---|
| 183 | |
---|
| 184 | case 'VCARD': |
---|
| 185 | $contenttype = 'text/x-vcard'; |
---|
| 186 | break; |
---|
| 187 | } |
---|
| 188 | |
---|
| 189 | $request->DoResponse( 200, ($request->method == 'HEAD' ? '' : $resource->caldav_data), $contenttype.'; charset="utf-8"' ); |
---|