From 8e78a217fc1dbe414733eb91abdbcef10c464e9f Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 24 Feb 2021 10:23:51 +0100
Subject: [PATCH] add advanced access control for folder, do not show delete
 doc/folder button without access

---
 views/bootstrap/class.Bootstrap.php | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/views/bootstrap/class.Bootstrap.php b/views/bootstrap/class.Bootstrap.php
index 19dcc7d77..09b7fe9d3 100644
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@@ -651,7 +651,8 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
 
 			if ($accessMode == M_ALL) {
 				if ($folderID != $this->params['rootfolderid'] && $folder->getParent())
-					$menuitems['rm_folder'] = array('link'=>"../out/out.RemoveFolder.php?folderid=". $folderID ."&showtree=".showtree(), 'label'=>'rm_folder');
+					if ($accessobject->check_view_access('RemoveFolder'))
+						$menuitems['rm_folder'] = array('link'=>"../out/out.RemoveFolder.php?folderid=". $folderID ."&showtree=".showtree(), 'label'=>'rm_folder');
 			}
 			if ($accessMode == M_ALL) {
 				if ($accessobject->check_view_access('FolderAccess'))
@@ -2324,11 +2325,9 @@ $(function() {
 	 * @return string html content if $return is true, otherwise an empty string
 	 */
 	function printDeleteDocumentButton($document, $msg, $return=false){ /* {{{ */
-		$accessobject = $this->params['accessobject'];
 		$docid = $document->getID();
 		$content = '';
-		if ($accessobject->check_view_access('RemoveDocument'))
-			$content .= '<a class="delete-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" confirmmsg="'.htmlspecialchars(getMLText("confirm_rm_document", array ("documentname" => $document->getName())), ENT_QUOTES).'"><i class="fa fa-remove"></i></a>';
+		$content .= '<a class="delete-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" confirmmsg="'.htmlspecialchars(getMLText("confirm_rm_document", array ("documentname" => $document->getName())), ENT_QUOTES).'"><i class="fa fa-remove"></i></a>';
 		if($return)
 			return $content;
 		else
@@ -2939,10 +2938,12 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev)
 			$content .= "<div class=\"list-action\">";
 			if(!empty($extracontent['begin_action_list']))
 				$content .= $extracontent['begin_action_list'];
-			if($document->getAccessMode($user) >= M_ALL) {
-				$content .= $this->printDeleteDocumentButton($document, 'splash_rm_document', true);
-			} else {
-				$content .= '<span style="padding: 2px; color: #CCC;"><i class="fa fa-remove"></i></span>';
+			if($accessop->check_view_access('RemoveDocument')) {
+				if($document->getAccessMode($user) >= M_ALL) {
+					$content .= $this->printDeleteDocumentButton($document, 'splash_rm_document', true);
+				} else {
+					$content .= '<span style="padding: 2px; color: #CCC;"><i class="fa fa-remove"></i></span>';
+				}
 			}
 			if($document->getAccessMode($user) >= M_READWRITE) {
 				$content .= '<a href="../out/out.EditDocument.php?documentid='.$docID.'" title="'.getMLText("edit_document_props").'"><i class="fa fa-edit"></i></a>';
@@ -3018,6 +3019,7 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev)
 		$enableRecursiveCount = $this->params['enableRecursiveCount'];
 		$maxRecursiveCount = $this->params['maxRecursiveCount'];
 		$enableClipboard = $this->params['enableclipboard'];
+		$accessop = $this->params['accessobject'];
 		$onepage = $this->params['onepage'];
 
 		$owner = $subFolder->getOwner();
@@ -3074,10 +3076,12 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev)
 		if(!empty($extracontent['begin_action_list']))
 			$content .= $extracontent['begin_action_list'];
 		$subFolderAccessMode = $subFolder->getAccessMode($user);
-		if($subFolderAccessMode >= M_ALL) {
-			$content .= $this->printDeleteFolderButton($subFolder, 'splash_rm_folder', true);
-		} else {
-			$content .= '<span style="padding: 2px; color: #CCC;"><i class="fa fa-remove"></i></span>';
+		if ($accessop->check_view_access('RemoveFolder')) {
+			if($subFolderAccessMode >= M_ALL) {
+				$content .= $this->printDeleteFolderButton($subFolder, 'splash_rm_folder', true);
+			} else {
+				$content .= '<span style="padding: 2px; color: #CCC;"><i class="fa fa-remove"></i></span>';
+			}
 		}
 		if($subFolderAccessMode >= M_READWRITE) {
 			$content .= '<a class_="btn btn-mini" href="../out/out.EditFolder.php?folderid='.$subFolder->getID().'" title="'.getMLText("edit_folder_props").'"><i class="fa fa-edit"></i></a>';