pub calendar - permission clean up and docu

diff --git a/include/event.php b/include/event.php
index f2783ab36e2c7e56666318fbab4facf8e00aa856..7b77ee8d61bdfaa54b339ad71ea4d79ce3258bac 100644 (file)
--- a/include/event.php
+++ b/include/event.php
@@ -818,13 +818,26 @@ function widget_events() {
        // of the profile page it should be the personal /events page. So we can use $a->user
        $user = ($a->data['user']['nickname'] ? $a->data['user']['nickname'] : $a->user['nickname']);
 
-       // a little bit tricky permission testing because we have to respect many cases
-       if(!(local_user()) && !($owner_uid) // not the private events page (we don't get the $owner_uid for /events)
-                       || (intval($owner_uid) && local_user() !== $owner_uid && !(feature_enabled($owner_uid, "export_calendar"))) // cal logged in user (test permission at foreign profile page)
-                       || ( !(local_user()) && !(feature_enabled($owner_uid, "export_calendar"))) // if cal && not logged in && feature is not enabled
-               ) {
+
+       // The permission testing is a little bit tricky because we have to respect many cases
+
+       // It's not the private events page (we don't get the $owner_uid for /events)
+       if(! local_user() && ! $owner_uid)
+               return;
+
+       // Cal logged in user (test permission at foreign profile page)
+       // If the $owner uid is available we know it is part of one of the profile pages (like /cal)
+       // So we have to test if if it's the own profile page of the logged in user 
+       // or a foreign one. For foreign profile pages we need to check if the feature
+       // for exporting the cal is enabled (otherwise the widget would appear for logged in users
+       // on foreigen profile pages even if the widget is disabled)
+       if(intval($owner_uid) && local_user() !== $owner_uid && ! feature_enabled($owner_uid, "export_calendar")) 
+               return;
+
+       // If it's a kind of profile page (intval($owner_uid)) return if the user not logged in and
+       // export feature isn't enabled
+       if(intval($owner_uid) && ! local_user() && ! feature_enabled($owner_uid, "export_calendar"))
                return;
-       }
 
        return replace_macros(get_markup_template("events_aside.tpl"), array(
                '$etitle' => t("Export"),

diff --git a/mod/cal.php b/mod/cal.php
index b04c3aab429630ea9f5f537d646a378ee8e92bea..a211a0ead96cd6cd3d927717054417b44b156629 100644 (file)
--- a/mod/cal.php
+++ b/mod/cal.php
@@ -303,7 +303,8 @@ function cal_content(&$a) {
                }
 
                // Test permissions
-               if( ((local_user() !== $owner_uid)) && !(feature_enabled($owner_uid, "export_calendar"))) {
+               // Respect the export feature setting for all other /cal pages if it's not the own profile
+               if( ((local_user() !== $owner_uid)) && ! feature_enabled($owner_uid, "export_calendar")) {
                        notice( t('Permission denied.') . EOL);
                        return;
                }