[evolution-ews] Reject creating meetings organized by other users



commit 9070176add1b2823502699eff9f79955ede1ec6a
Author: Milan Crha <mcrha redhat com>
Date:   Thu Oct 31 11:12:37 2019 +0100

    Reject creating meetings organized by other users
    
    The EWS protocol doesn't allow creating meetings organized by other
    than the calendar owner [1], thus reject such attempt, to avoid eventual
    data loss and stealing of the meeting.
    
    [1] Even an older blog post, but still applicable:
    
https://blogs.msdn.microsoft.com/webdav_101/2011/09/28/howto-set-the-organizer-of-a-meeting-on-the-calendar-of-an-attendee-using-ews/

 src/calendar/e-cal-backend-ews.c | 38 ++++++++++++++++++++++++++++++++------
 1 file changed, 32 insertions(+), 6 deletions(-)
---
diff --git a/src/calendar/e-cal-backend-ews.c b/src/calendar/e-cal-backend-ews.c
index 25a62ab5..b476c0c4 100644
--- a/src/calendar/e-cal-backend-ews.c
+++ b/src/calendar/e-cal-backend-ews.c
@@ -1516,9 +1516,8 @@ ecb_ews_extract_item_id (ECalComponent *comp,
 }
 
 static gboolean
-ecb_ews_can_send_invitations (ECalBackendEws *cbews,
-                             guint32 opflags,
-                             ECalComponent *comp)
+ecb_ews_organizer_is_user (ECalBackendEws *cbews,
+                          ECalComponent *comp)
 {
        ECalComponentOrganizer *organizer;
        gboolean is_organizer = FALSE;
@@ -1526,9 +1525,6 @@ ecb_ews_can_send_invitations (ECalBackendEws *cbews,
        g_return_val_if_fail (E_IS_CAL_BACKEND_EWS (cbews), FALSE);
        g_return_val_if_fail (E_IS_CAL_COMPONENT (comp), FALSE);
 
-       if ((opflags & E_CAL_OPERATION_FLAG_DISABLE_ITIP_MESSAGE) != 0)
-               return FALSE;
-
        if (!e_cal_component_has_organizer (comp))
                return FALSE;
 
@@ -1547,6 +1543,18 @@ ecb_ews_can_send_invitations (ECalBackendEws *cbews,
                is_organizer = user_email && g_ascii_strcasecmp (email, user_email) == 0;
 
                g_free (user_email);
+
+               if (!is_organizer) {
+                       GHashTable *aliases;
+
+                       aliases = ecb_ews_get_mail_aliases (cbews);
+
+                       if (aliases) {
+                               is_organizer = g_hash_table_contains (aliases, email);
+
+                               g_hash_table_unref (aliases);
+                       }
+               }
        }
 
        e_cal_component_organizer_free (organizer);
@@ -1554,6 +1562,20 @@ ecb_ews_can_send_invitations (ECalBackendEws *cbews,
        return is_organizer;
 }
 
+static gboolean
+ecb_ews_can_send_invitations (ECalBackendEws *cbews,
+                             guint32 opflags,
+                             ECalComponent *comp)
+{
+       g_return_val_if_fail (E_IS_CAL_BACKEND_EWS (cbews), FALSE);
+       g_return_val_if_fail (E_IS_CAL_COMPONENT (comp), FALSE);
+
+       if ((opflags & E_CAL_OPERATION_FLAG_DISABLE_ITIP_MESSAGE) != 0)
+               return FALSE;
+
+       return ecb_ews_organizer_is_user (cbews, comp);
+}
+
 static gboolean
 ecb_ews_connect_sync (ECalMetaBackend *meta_backend,
                      const ENamedParameters *credentials,
@@ -2862,6 +2884,10 @@ ecb_ews_save_component_sync (ECalMetaBackend *meta_backend,
                g_slist_free_full (existing, g_object_unref);
                g_slist_free_full (changed_instances, change_data_free);
                g_slist_free_full (removed_instances, g_object_unref);
+       } else if (e_cal_component_has_organizer (master) &&
+                  !ecb_ews_organizer_is_user (cbews, master)) {
+               success = FALSE;
+               g_propagate_error (error, EC_ERROR_EX (E_CLIENT_ERROR_PERMISSION_DENIED, _("Cannot create 
meetings organized by other users in an Exchange Web Services calendar.")));
        } else {
                GHashTable *removed_indexes;
                EwsCalendarConvertData convert_data = { 0 };


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]