- $str_contact_allow = '';
- $str_group_allow = '';
- $str_contact_deny = '';
- $str_group_deny = '';
-
- if (($_REQUEST['visibility'] ?? '') !== 'public') {
- $aclFormatter = DI::aclFormatter();
- $str_contact_allow = isset($_REQUEST['contact_allow']) ? $aclFormatter->toString($_REQUEST['contact_allow']) : $owner_record['allow_cid'] ?? '';
- $str_group_allow = isset($_REQUEST['group_allow']) ? $aclFormatter->toString($_REQUEST['group_allow']) : $owner_record['allow_gid'] ?? '';
- $str_contact_deny = isset($_REQUEST['contact_deny']) ? $aclFormatter->toString($_REQUEST['contact_deny']) : $owner_record['deny_cid'] ?? '';
- $str_group_deny = isset($_REQUEST['group_deny']) ? $aclFormatter->toString($_REQUEST['group_deny']) : $owner_record['deny_gid'] ?? '';
-
- // Since we know from the visibility parameter it should be private, we have to prevent the empty ACL case
- // that would make the item public. So we always append the author's contact id to the allowed contacts.
+ $aclFormatter = DI::aclFormatter();
+ $str_contact_allow = isset($_REQUEST['contact_allow']) ? $aclFormatter->toString($_REQUEST['contact_allow']) : $owner_record['allow_cid'] ?? '';
+ $str_group_allow = isset($_REQUEST['group_allow']) ? $aclFormatter->toString($_REQUEST['group_allow']) : $owner_record['allow_gid'] ?? '';
+ $str_contact_deny = isset($_REQUEST['contact_deny']) ? $aclFormatter->toString($_REQUEST['contact_deny']) : $owner_record['deny_cid'] ?? '';
+ $str_group_deny = isset($_REQUEST['group_deny']) ? $aclFormatter->toString($_REQUEST['group_deny']) : $owner_record['deny_gid'] ?? '';
+
+ $visibility = $_REQUEST['visibility'] ?? '';
+ if ($visibility === 'public') {
+ // The ACL selector introduced in version 2019.12 sends ACL input data even when the Public visibility is selected
+ $str_contact_allow = $str_group_allow = $str_contact_deny = $str_group_deny = '';
+ } else if ($visibility === 'custom') {
+ // Since we know from the visibility parameter the item should be private, we have to prevent the empty ACL
+ // case that would make it public. So we always append the author's contact id to the allowed contacts.