From 9cd71e2a5e5242a6b9c562d7d8d9c67ce11a5519 Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Fri, 24 May 2013 20:16:09 +0200
Subject: [PATCH] Get Contact through AddressBook to check permissions.

---
 lib/controller/contactcontroller.php | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/lib/controller/contactcontroller.php b/lib/controller/contactcontroller.php
index 12cad239..09831f6d 100644
--- a/lib/controller/contactcontroller.php
+++ b/lib/controller/contactcontroller.php
@@ -35,11 +35,8 @@ class ContactController extends BaseController {
 		$request = $this->request;
 		$response = new JSONResponse();
 
-		$contact = $app->getContact(
-			$request->parameters['backend'],
-			$request->parameters['addressbookid'],
-			$request->parameters['contactid']
-		);
+		$addressBook = $app->getAddressBook($params['backend'], $params['addressbookid']);
+		$contact = $addressBook->getChild($params['contactid']);
 
 		if(!$contact) {
 			$response->bailOut(App::$l10n->t('Couldn\'t find contact.'));
@@ -62,13 +59,11 @@ class ContactController extends BaseController {
 		$app = new App($this->api->getUserId());
 
 		$request = $this->request;
+		$params = $this->request->urlParams;
 		$response = new JSONResponse();
 
-		$contact = $app->getContact(
-			$request->parameters['backend'],
-			$request->parameters['addressbookid'],
-			$request->parameters['contactid']
-		);
+		$addressBook = $app->getAddressBook($params['backend'], $params['addressbookid']);
+		$contact = $addressBook->getChild($params['contactid']);
 
 		if(!$contact) {
 			$response->bailOut(App::$l10n->t('Couldn\'t find contact.'));
@@ -101,7 +96,16 @@ class ContactController extends BaseController {
 		$app = new App($this->api->getUserId());
 		$etag = null;
 		$max_size = 170;
-		$contact = $app->getContact($params['backend'], $params['addressbookid'], $params['contactid']);
+
+		$addressBook = $app->getAddressBook($params['backend'], $params['addressbookid']);
+		$contact = $addressBook->getChild($params['contactid']);
+
+		if(!$contact) {
+			$response = new JSONResponse();
+			$response->bailOut(App::$l10n->t('Couldn\'t find contact.'));
+			return $response;
+		}
+
 		$image = new \OC_Image();
 		if (isset($contact->PHOTO) && $image->loadFromBase64((string)$contact->PHOTO)) {
 			// OK