ZP-1357 Prevent editing private items in impersonated folder. Added

impersonated folder origin.

Released under the Affero GNU General Public License (AGPL) version 3.

src/backend/kopano/importer.php

@@ -254,7 +254,7 @@ class ImportChangesICS implements IImportChanges {
 
         $sharedUser = ZPush::GetAdditionalSyncFolderStore(bin2hex($this->folderid));
         // if this is either a user folder or SYSTEM and no restriction is set, we don't need to check
-        if (($sharedUser == false || $sharedUser == 'SYSTEM') && $this->cutoffdate === false) {
+        if (($sharedUser == false || $sharedUser == 'SYSTEM') && $this->cutoffdate === false && !Request::GetImpersonatedUser()) {
             return true;
         }
 

src/backend/kopano/mapiprovider.php

@@ -989,7 +989,11 @@ class MAPIProvider {
         }
 
         $folder->BackendId = bin2hex($folderprops[PR_SOURCE_KEY]);
-        $folder->serverid = ZPush::GetDeviceManager()->GetFolderIdForBackendId($folder->BackendId, true, DeviceManager::FLD_ORIGIN_USER, $folderprops[PR_DISPLAY_NAME]);
+        $folderOrigin = DeviceManager::FLD_ORIGIN_USER;
+        if (Request::GetImpersonatedUser() && Request::GetImpersonatedUser() != Request::GetAuthUser()) {
+            $folderOrigin = DeviceManager::FLD_ORIGIN_IMPERSONATED;
+        }
+        $folder->serverid = ZPush::GetDeviceManager()->GetFolderIdForBackendId($folder->BackendId, true, $folderOrigin, $folderprops[PR_DISPLAY_NAME]);
         if($folderprops[PR_PARENT_ENTRYID] == $storeprops[PR_IPM_SUBTREE_ENTRYID]) {
             $folder->parentid = "0";
         }

src/backend/kopano/mapiutils.php

@@ -366,8 +366,13 @@ class MAPIUtils {
         $sensitivity = mapi_getprops($mapimessage, array(PR_SENSITIVITY));
         if (isset($sensitivity[PR_SENSITIVITY]) && $sensitivity[PR_SENSITIVITY] >= SENSITIVITY_PRIVATE) {
             $hexFolderid = bin2hex($folderid);
-            $sharedUser = ZPush::GetAdditionalSyncFolderStore($hexFolderid);
             $shortId = ZPush::GetDeviceManager()->GetFolderIdForBackendId($hexFolderid);
+            ZLog::Write(LOGLEVEL_DEBUG, sprintf("APIUtils->IsMessageSharedAndPrivate(): '%s'", $shortId));
+            if (Utils::GetFolderOriginFromId($shortId) == DeviceManager::FLD_ORIGIN_IMPERSONATED) {
+                ZLog::Write(LOGLEVEL_DEBUG, sprintf("MAPIUtils->IsMessageSharedAndPrivate(): Message is in impersonated store '%s' and marked as private", Request::GetImpersonatedUser()));
+                return true;
+            }
+            $sharedUser = ZPush::GetAdditionalSyncFolderStore($hexFolderid);
             if (Utils::GetFolderOriginFromId($shortId) != DeviceManager::FLD_ORIGIN_USER && $sharedUser != false && $sharedUser != 'SYSTEM') {
                 ZLog::Write(LOGLEVEL_DEBUG, sprintf("MAPIUtils->IsMessageSharedAndPrivate(): Message is in shared store '%s' and marked as private", $sharedUser));
                 return true;

src/lib/core/asdevice.php

@@ -668,6 +668,7 @@ class ASDevice extends StateObject {
      *                                                                  'C' (configured)
      *                                                                  'S' (shared)
      *                                                                  'G' (global address book)
+     *                                                                  'I' (impersonated)
      * @param string    $folderName             Folder name of the backend folder
      *
      * @access public
@@ -1124,6 +1125,7 @@ class ASDevice extends StateObject {
      *                                                                  'C' (configured)
      *                                                                  'S' (shared)
      *                                                                  'G' (global address book)
+     *                                                                  'I' (impersonated)
      * @param string    $folderName             Folder name of the backend folder
      *
      * @access private

src/lib/core/devicemanager.php

@@ -42,6 +42,7 @@ class DeviceManager {
     const FLD_ORIGIN_CONFIG = "C";
     const FLD_ORIGIN_SHARED = "S";
     const FLD_ORIGIN_GAB = "G";
+    const FLD_ORIGIN_IMPERSONATED = "I";
 
     const FLD_FLAGS_NONE = 0;
     const FLD_FLAGS_SENDASOWNER = 1;
@@ -1052,13 +1053,14 @@ class DeviceManager {
      *                                                                  'C' (configured)
      *                                                                  'S' (shared)
      *                                                                  'G' (global address book)
+     *                                                                  'I' (impersonated)
      * @param string    $folderName             Folder name of the backend folder
      *
      * @access public
      * @return string/boolean  returns false if there is folderid known for this backendid and $generateNewIdIfNew is not set or false.
      */
     public function GetFolderIdForBackendId($backendid, $generateNewIdIfNew = false, $folderOrigin = self::FLD_ORIGIN_USER, $folderName = null) {
-        if (!in_array($folderOrigin, array(DeviceManager::FLD_ORIGIN_CONFIG, DeviceManager::FLD_ORIGIN_GAB, DeviceManager::FLD_ORIGIN_SHARED, DeviceManager::FLD_ORIGIN_USER))) {
+        if (!in_array($folderOrigin, array(DeviceManager::FLD_ORIGIN_CONFIG, DeviceManager::FLD_ORIGIN_GAB, DeviceManager::FLD_ORIGIN_SHARED, DeviceManager::FLD_ORIGIN_USER, DeviceManager::FLD_ORIGIN_IMPERSONATED))) {
             ZLog::Write(LOGLEVEL_WARN, sprintf("ASDevice->GetFolderIdForBackendId(): folder type '%' is unknown in DeviceManager", $folderOrigin));
         }
         return $this->device->GetFolderIdForBackendId($backendid, $generateNewIdIfNew, $folderOrigin, $folderName);

src/lib/request/request.php

@@ -719,14 +719,14 @@ class Request {
      */
     static private function filterEvilInput($input, $filter, $replacevalue = '') {
         $re = false;
-        if ($filter == self::LETTERS_ONLY)            $re = "/[^A-Za-z]/";
-        else if ($filter == self::HEX_ONLY)           $re = "/[^A-Fa-f0-9]/";
-        else if ($filter == self::WORDCHAR_ONLY)      $re = "/[^A-Za-z0-9]/";
-        else if ($filter == self::NUMBERS_ONLY)       $re = "/[^0-9]/";
-        else if ($filter == self::NUMBERSDOT_ONLY)    $re = "/[^0-9\.]/";
-        else if ($filter == self::HEX_EXTENDED)       $re = "/[^A-Fa-f0-9\:\.]/";
-        else if ($filter == self::HEX_EXTENDED2)      $re = "/[^A-Fa-f0-9\:USG]/"; // Folder origin constants from DeviceManager::FLD_ORIGIN_* (C already hex)
-        else if ($filter == self::ISO8601)            $re = "/[^\d{8}T\d{6}Z]/";
+        if ($filter == self::LETTERS_ONLY)          $re = "/[^A-Za-z]/";
+        elseif ($filter == self::HEX_ONLY)          $re = "/[^A-Fa-f0-9]/";
+        elseif ($filter == self::WORDCHAR_ONLY)     $re = "/[^A-Za-z0-9]/";
+        elseif ($filter == self::NUMBERS_ONLY)      $re = "/[^0-9]/";
+        elseif ($filter == self::NUMBERSDOT_ONLY)   $re = "/[^0-9\.]/";
+        elseif ($filter == self::HEX_EXTENDED)      $re = "/[^A-Fa-f0-9\:\.]/";
+        elseif ($filter == self::HEX_EXTENDED2)     $re = "/[^A-Fa-f0-9\:USGI]/"; // Folder origin constants from DeviceManager::FLD_ORIGIN_* (C already hex)
+        elseif ($filter == self::ISO8601)           $re = "/[^\d{8}T\d{6}Z]/";
 
         return ($re) ? preg_replace($re, $replacevalue, $input) : '';
     }

src/lib/utils/utils.php

@@ -1089,6 +1089,7 @@ class Utils {
             case DeviceManager::FLD_ORIGIN_GAB:
             case DeviceManager::FLD_ORIGIN_SHARED:
             case DeviceManager::FLD_ORIGIN_USER:
+            case DeviceManager::FLD_ORIGIN_IMPERSONATED:
                 return $origin;
         }
         ZLog::Write(LOGLEVEL_WARN, sprintf("Utils->GetFolderOriginFromId(): Unknown folder origin for folder with id '%s'", $folderid));
@@ -1114,6 +1115,8 @@ class Utils {
                 return 'shared';
             case DeviceManager::FLD_ORIGIN_USER:
                 return 'user';
+            case DeviceManager::FLD_ORIGIN_IMPERSONATED:
+                return 'impersonated';
         }
         ZLog::Write(LOGLEVEL_WARN, sprintf("Utils->GetFolderOriginStringFromId(): Unknown folder origin for folder with id '%s'", $folderid));
         return 'unknown';