[CalendarServer-changes] [1589] CalendarServer/trunk/twistedcaldav/schedule.py

source_changes at macosforge.org source_changes at macosforge.org
Wed Jun 6 12:56:35 PDT 2007 

Revision: 1589
          http://trac.macosforge.org/projects/calendarserver/changeset/1589
Author:   cdaboo at apple.com
Date:     2007-06-06 12:56:35 -0700 (Wed, 06 Jun 2007)

Log Message:
-----------
Fix permission check. Verify proper originator. Make proxy privilege protected.

Modified Paths:
--------------
    CalendarServer/trunk/twistedcaldav/schedule.py

Modified: CalendarServer/trunk/twistedcaldav/schedule.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/schedule.py	2007-06-06 19:02:54 UTC (rev 1588)
+++ CalendarServer/trunk/twistedcaldav/schedule.py	2007-06-06 19:56:35 UTC (rev 1589)
@@ -169,9 +169,8 @@
                 # CalDAV:schedule for associated write proxies
                 davxml.ACE(
                     davxml.Principal(davxml.HRef(joinURL(myPrincipal.principalURL(), "calendar-proxy-write"))),
-                    davxml.Grant(
-                        davxml.Privilege(caldavxml.Schedule()),
-                    ),
+                    davxml.Grant(davxml.Privilege(caldavxml.Schedule()),),
+                    davxml.Protected(),
                 ),
             )
         else:
@@ -191,10 +190,7 @@
         issues which the other approach would have with large numbers of recipients.
         """
         # Check authentication and access controls
-        parent = waitForDeferred(request.locateResource(parentForURL(request.uri)))
-        yield parent
-        parent = parent.getResult()
-        x = waitForDeferred(parent.authorize(request, (caldavxml.Schedule(),)))
+        x = waitForDeferred(self.authorize(request, (caldavxml.Schedule(),)))
         yield x
         x.getResult()
 
@@ -223,6 +219,11 @@
             log.err("Could not find inbox for originator: %s" % (originator,))
             raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "originator-allowed")))
     
+        # Verify that Originator matches the authenticated user
+        if davxml.Principal(davxml.HRef(oprincipal.principalURL())) != self.currentPrincipal(request):
+            log.err("Originator: %s does not match authorized user: %s" % (originator, self.currentPrincipal(request).children[0],))
+            raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "originator-allowed")))
+
         # Get list of Recipient headers
         rawrecipients = request.headers.getRawHeaders("recipient")
         if rawrecipients is None or (len(rawrecipients) == 0):

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20070606/41479069/attachment.html

More information about the calendarserver-changes mailing list