cal export && public calendar - even better permissions testing

diff --git a/include/event.php b/include/event.php
index c826511f2307e0bac8b9d0bd6b78d561ece33877..f2783ab36e2c7e56666318fbab4facf8e00aa856 100644 (file)
--- a/include/event.php
+++ b/include/event.php
@@ -818,8 +818,13 @@ function widget_events() {
        // of the profile page it should be the personal /events page. So we can use $a->user
        $user = ($a->data['user']['nickname'] ? $a->data['user']['nickname'] : $a->user['nickname']);
 
-       if( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar")) )
+       // a little bit tricky permission testing because we have to respect many cases
+       if(!(local_user()) && !($owner_uid) // not the private events page (we don't get the $owner_uid for /events)
+                       || (intval($owner_uid) && local_user() !== $owner_uid && !(feature_enabled($owner_uid, "export_calendar"))) // cal logged in user (test permission at foreign profile page)
+                       || ( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar"))) // if cal && not logged in && feature is not enabled
+               ) {
                return;
+       }
 
        return replace_macros(get_markup_template("events_aside.tpl"), array(
                '$etitle' => t("Export"),

diff --git a/mod/cal.php b/mod/cal.php
index 5dab182e713f8463a5e87ed0f1b42cf488c6013e..e2c84204b4e3beb1aaa98b985d8a46e428abcaa1 100644 (file)
--- a/mod/cal.php
+++ b/mod/cal.php
@@ -302,7 +302,8 @@ function cal_content(&$a) {
                        return;
                }
 
-               if( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar"))) {
+               // Test permissions
+               if( ((local_user() !== $owner_uid)) && !(feature_enabled($owner_uid, "export_calendar"))) {
                        notice( t('Permission denied.') . EOL);
                        return;
                }