Index: openacs-4/packages/contacts/contacts.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/contacts/contacts.info,v
diff -u -r1.76 -r1.77
--- openacs-4/packages/contacts/contacts.info 2 Jun 2006 09:18:30 -0000 1.76
+++ openacs-4/packages/contacts/contacts.info 5 Jun 2006 08:13:27 -0000 1.77
@@ -7,14 +7,14 @@
<initial-install-p>f</initial-install-p>
<singleton-p>f</singleton-p>
- <version name="1.2b14" url="http://openacs.org/repository/download/apm/contacts-1.2b14.apm">
+ <version name="1.2b15" url="http://openacs.org/repository/download/apm/contacts-1.2b15.apm">
<owner url="mailto:openacs@geddert.com">Matthew Geddert</owner>
<summary>This application lets you collaboratively view, edit and categorize contacts.</summary>
- <release-date>2006-06-02</release-date>
+ <release-date>2006-06-05</release-date>
<description format="text/plain">Contacts is an application for managing all those people and or organization you need to keep track of. It has a complete UI for storing and categorizing contacts. Each contact can have an arbitrary number of custom attributes associated with it, including other contacts (i.e. a certain contact "belongs" to a certain organization). It also functions as a service contract provider for attributes related to users in your system</description>
<maturity>0</maturity>
- <provides url="contacts" version="1.2b14"/>
+ <provides url="contacts" version="1.2b15"/>
<requires url="acs-datetime" version="4.1"/>
<requires url="acs-events" version="0.5d3"/>
<requires url="acs-tcl" version="5.2.0b3"/>
@@ -26,8 +26,8 @@
<callbacks>
<callback type="after-install" proc="contacts::install::package_install"/>
- <callback type="after-instantiate" proc="contacts::install::package_instantiate"/>
<callback type="after-upgrade" proc="contacts::install::package_upgrade"/>
+ <callback type="after-instantiate" proc="contacts::install::package_instantiate"/>
</callbacks>
<parameters>
<parameter datatype="string" min_n_values="1" max_n_values="1" name="AcceptableFileUploadMIMETypes" default="*" description="* for any. CSV of acceptable MIME Types for File Upload" section_name="File Upload"/>
@@ -79,6 +79,7 @@
<parameter datatype="string" min_n_values="1" max_n_values="1" name="SquareThumbnails" default="1" description="0 for no, 1 for yes. If yes we crop either the top or the bottom of the image to create square thumbnails and portraits" section_name="Photos"/>
<parameter datatype="string" min_n_values="1" max_n_values="1" name="ThumbnailSize" default="125x125" description="Max dimension for thumbnail image" section_name="Photos"/>
<parameter datatype="number" min_n_values="1" max_n_values="1" name="UseSubsiteAsDefaultGroup" default="0" description="Default '0'. Should we use this contact's instances subsite's application group as the default group? If yes set to '1'. Using the subsites application group as the default group will automatically add all subsite users to this contacts instance. This should only be changed at install time."/>
+ <parameter datatype="number" min_n_values="1" max_n_values="1" name="ViewOthersSearchesP" default="0" description="Are users allowed to view other users searches. '1' is yes, '0' is no. The default is '0'. On sites where some users are not allowed to view certain attributes or search condition types this should be '0', since viewing searches from other users may allow you to gain access to information they must not access. Site wide administrators are automatically given permission to view all users searches."/>
</parameters>
</version>
Index: openacs-4/packages/contacts/catalog/contacts.en_US.ISO-8859-1.xml
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/contacts/catalog/contacts.en_US.ISO-8859-1.xml,v
diff -u -r1.83 -r1.84
--- openacs-4/packages/contacts/catalog/contacts.en_US.ISO-8859-1.xml 2 Jun 2006 09:18:30 -0000 1.83
+++ openacs-4/packages/contacts/catalog/contacts.en_US.ISO-8859-1.xml 5 Jun 2006 08:13:28 -0000 1.84
@@ -285,6 +285,7 @@
<msg key="lt_attribute_pretty_zipp_1">%attribute_pretty% zip/postal does not start with: <strong>%value%</strong></msg>
<msg key="lt_brbrsave_this_search_"><br><br>save this search as</msg>
<msg key="lt_Bulk_update_the_seclected_C">Bulk update the selected contacts</msg>
+ <msg key="lt_Cannot_view_others_searches">You do not have permission to view other users searches</msg>
<msg key="lt_commented_on_in_last_">commented on in last -></msg>
<msg key="lt_commentspretty_date_a">%comments.pretty_date% at %comments.pretty_time% -</msg>
<msg key="lt_Contact_Administratio">Contact Administration</msg>
@@ -510,6 +511,7 @@
<msg key="People_or_Organizations">People or Organizations</msg>
<msg key="people_or_organizations">people or organizations</msg>
<msg key="Percent">Percent:</msg>
+ <msg key="Permission_Denied">Permission Denied</msg>
<msg key="Permissions">Permissions</msg>
<msg key="Permissions_for_default_group">Permissions for default group</msg>
<msg key="Person">Person</msg>
Index: openacs-4/packages/contacts/tcl/contact-search-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/contacts/tcl/contact-search-procs.tcl,v
diff -u -r1.30 -r1.31
--- openacs-4/packages/contacts/tcl/contact-search-procs.tcl 19 May 2006 18:36:56 -0000 1.30
+++ openacs-4/packages/contacts/tcl/contact-search-procs.tcl 5 Jun 2006 08:13:28 -0000 1.31
@@ -50,6 +50,30 @@
return [db_string select_title {} -default {}]
}
+
+ad_proc -public contact::search::permitted {
+ {-search_id:required}
+ {-user_id ""}
+} {
+} {
+ if { $search_id ne "" } {
+ if { [db_0or1row select_search_info {}] } {
+ if { $user_id eq "" } {
+ set user_id [ad_conn user_id]
+ }
+ if { ![acs_user::site_wide_admin_p -user_id $user_id] && $owner_id ne $user_id && $owner_id ne $package_id } {
+ # the user is not site wide admin
+ # the user does not own the search
+ if { ![parameter::get -boolean -parameter "ViewOthersSearchesP" -default "0" -package_id $package_id] } {
+ ns_log notice "contact::search::permitted: user $user_id does not have permission to search_id $search_id (package $package_id owner $owner_id)"
+ ad_return_forbidden [_ contacts.Permission_Denied] "<blockquote>[_ contacts.lt_Cannot_view_others_searches]</blockquote>"
+ ad_script_abort
+ }
+ }
+ }
+ }
+}
+
ad_proc -public contact::search::get {
-search_id:required
-array:required
@@ -408,7 +432,6 @@
}
}
-
ad_proc -public contact::search::query_clause {
{-and:boolean}
{-query ""}
@@ -525,6 +548,7 @@
{-limit_type_p "1"}
} {
} {
+ contact::search::permitted -search_id $search_id
if { $and_p } {
return [util_memoize [list ::contact::search::where_clause_not_cached \
-search_id $search_id \
Index: openacs-4/packages/contacts/tcl/contact-search-procs.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/contacts/tcl/contact-search-procs.xql,v
diff -u -r1.18 -r1.19
--- openacs-4/packages/contacts/tcl/contact-search-procs.xql 19 May 2006 18:36:56 -0000 1.18
+++ openacs-4/packages/contacts/tcl/contact-search-procs.xql 5 Jun 2006 08:13:28 -0000 1.19
@@ -15,6 +15,17 @@
</querytext>
</fullquery>
+<fullquery name="contact::search::permitted.select_search_info">
+ <querytext>
+ select cs.owner_id,
+ ao.package_id
+ from contact_searches cs,
+ acs_objects ao
+ where cs.search_id = ao.object_id
+ and cs.search_id = :search_id
+ </querytext>
+</fullquery>
+
<fullquery name="contact::search::get.select_search_info">
<querytext>
select contact_searches.*, acs_objects.title, acs_objects.package_id
@@ -24,7 +35,6 @@
</querytext>
</fullquery>
-
<fullquery name="contact::search_pretty_not_cached.select_conditions">
<querytext>
select type,
Index: openacs-4/packages/contacts/www/searches.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/contacts/www/searches.tcl,v
diff -u -r1.3 -r1.4
--- openacs-4/packages/contacts/www/searches.tcl 25 Nov 2005 18:12:21 -0000 1.3
+++ openacs-4/packages/contacts/www/searches.tcl 5 Jun 2006 08:13:28 -0000 1.4
@@ -9,14 +9,27 @@
{owner_id:optional}
{format "noraml"}
} -validate {
+ valid_owner_id -requires {owner_id} {
+ if { $owner_id ne [ad_conn user_id] && $owner_id ne [ad_conn package_id] } {
+ if { ![parameter::get -boolean -parameter "ViewOthersSearchesP" -default "0"] || ![acs_user::site_wide_admin_p] } {
+ ad_complain [_ contacts.lt_Cannot_view_others_searches]
+ }
+ }
+ }
}
set user_id [ad_conn user_id]
set package_id [ad_conn package_id]
if { ![exists_and_not_null owner_id] } {
set owner_id $user_id
}
-set owner_options [db_list_of_lists select_owner_options {}]
+
+if { [parameter::get -boolean -parameter "ViewOthersSearchesP" -default "0"] || [acs_user::site_wide_admin_p] } {
+ set owner_options [db_list_of_lists select_owner_options {}]
+} else {
+ set owner_options [list [list [_ contacts.My_Searches] $user_id]]
+}
+
set owner_options [concat [list [list [_ contacts.Public_Searches] "${package_id}"]] $owner_options]
template::list::create \