[CalendarServer-changes] [1589]
CalendarServer/trunk/twistedcaldav/schedule.py
source_changes at macosforge.org
source_changes at macosforge.org
Wed Jun 6 12:56:35 PDT 2007
Revision: 1589
http://trac.macosforge.org/projects/calendarserver/changeset/1589
Author: cdaboo at apple.com
Date: 2007-06-06 12:56:35 -0700 (Wed, 06 Jun 2007)
Log Message:
-----------
Fix permission check. Verify proper originator. Make proxy privilege protected.
Modified Paths:
--------------
CalendarServer/trunk/twistedcaldav/schedule.py
Modified: CalendarServer/trunk/twistedcaldav/schedule.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/schedule.py 2007-06-06 19:02:54 UTC (rev 1588)
+++ CalendarServer/trunk/twistedcaldav/schedule.py 2007-06-06 19:56:35 UTC (rev 1589)
@@ -169,9 +169,8 @@
# CalDAV:schedule for associated write proxies
davxml.ACE(
davxml.Principal(davxml.HRef(joinURL(myPrincipal.principalURL(), "calendar-proxy-write"))),
- davxml.Grant(
- davxml.Privilege(caldavxml.Schedule()),
- ),
+ davxml.Grant(davxml.Privilege(caldavxml.Schedule()),),
+ davxml.Protected(),
),
)
else:
@@ -191,10 +190,7 @@
issues which the other approach would have with large numbers of recipients.
"""
# Check authentication and access controls
- parent = waitForDeferred(request.locateResource(parentForURL(request.uri)))
- yield parent
- parent = parent.getResult()
- x = waitForDeferred(parent.authorize(request, (caldavxml.Schedule(),)))
+ x = waitForDeferred(self.authorize(request, (caldavxml.Schedule(),)))
yield x
x.getResult()
@@ -223,6 +219,11 @@
log.err("Could not find inbox for originator: %s" % (originator,))
raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "originator-allowed")))
+ # Verify that Originator matches the authenticated user
+ if davxml.Principal(davxml.HRef(oprincipal.principalURL())) != self.currentPrincipal(request):
+ log.err("Originator: %s does not match authorized user: %s" % (originator, self.currentPrincipal(request).children[0],))
+ raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "originator-allowed")))
+
# Get list of Recipient headers
rawrecipients = request.headers.getRawHeaders("recipient")
if rawrecipients is None or (len(rawrecipients) == 0):
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20070606/41479069/attachment.html
More information about the calendarserver-changes
mailing list