[CalendarServer-changes] [3494] CalendarServer/trunk/twistedcaldav
source_changes at macosforge.org
source_changes at macosforge.org
Tue Dec 9 20:30:10 PST 2008
Revision: 3494
http://trac.macosforge.org/projects/calendarserver/changeset/3494
Author: cdaboo at apple.com
Date: 2008-12-09 20:30:09 -0800 (Tue, 09 Dec 2008)
Log Message:
-----------
Allow admin principals full access to private event data.
Modified Paths:
--------------
CalendarServer/trunk/twistedcaldav/method/get.py
CalendarServer/trunk/twistedcaldav/method/report_calquery.py
CalendarServer/trunk/twistedcaldav/method/report_multiget.py
CalendarServer/trunk/twistedcaldav/resource.py
CalendarServer/trunk/twistedcaldav/static.py
Modified: CalendarServer/trunk/twistedcaldav/method/get.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/method/get.py 2008-12-09 23:43:20 UTC (rev 3493)
+++ CalendarServer/trunk/twistedcaldav/method/get.py 2008-12-10 04:30:09 UTC (rev 3494)
@@ -48,7 +48,7 @@
yield self.authorize(request, (davxml.Read(),))
# Non DAV:owner's have limited access to the data
- isowner = (yield self.isOwner(request))
+ isowner = (yield self.isOwner(request, adminprincipals=True, readprincipals=True))
if not isowner:
# Now "filter" the resource calendar data through the CALDAV:calendar-data element and apply
Modified: CalendarServer/trunk/twistedcaldav/method/report_calquery.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/method/report_calquery.py 2008-12-09 23:43:20 UTC (rev 3493)
+++ CalendarServer/trunk/twistedcaldav/method/report_calquery.py 2008-12-10 04:30:09 UTC (rev 3494)
@@ -1,5 +1,5 @@
##
-# Copyright (c) 2006-2007 Apple Inc. All rights reserved.
+# Copyright (c) 2006-2008 Apple Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -160,7 +160,7 @@
filteredaces = (yield calresource.inheritedACEsforChildren(request))
# Check private events access status
- isowner = (yield calresource.isOwner(request))
+ isowner = (yield calresource.isOwner(request, adminprincipals=True, readprincipals=True))
# Check for disabled access
if filteredaces is not None:
@@ -217,7 +217,7 @@
timezone = tuple(tz.calendar().subcomponents())[0]
# Check private events access status
- isowner = (yield calresource.isOwner(request))
+ isowner = (yield calresource.isOwner(request, adminprincipals=True, readprincipals=True))
calendar = calresource.iCalendar()
yield queryCalendarObjectResource(calresource, uri, None, calendar, timezone)
Modified: CalendarServer/trunk/twistedcaldav/method/report_multiget.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/method/report_multiget.py 2008-12-09 23:43:20 UTC (rev 3493)
+++ CalendarServer/trunk/twistedcaldav/method/report_multiget.py 2008-12-10 04:30:09 UTC (rev 3494)
@@ -112,7 +112,7 @@
disabled = True
# Check private events access status
- isowner = (yield self.isOwner(request))
+ isowner = (yield self.isOwner(request, adminprincipals=True, readprincipals=True))
elif self.isCollection():
requestURIis = "collection"
@@ -223,7 +223,7 @@
filteredaces = (yield parent.inheritedACEsforChildren(request))
# Check private events access status
- isowner = (yield parent.isOwner(request))
+ isowner = (yield parent.isOwner(request, adminprincipals=True, readprincipals=True))
else:
name = unquote(resource_uri[resource_uri.rfind("/") + 1:])
if (resource_uri != request.uri) or not self.exists():
@@ -242,7 +242,7 @@
filteredaces = (yield parent.inheritedACEsforChildren(request))
# Check private events access status
- isowner = (yield parent.isOwner(request))
+ isowner = (yield parent.isOwner(request, adminprincipals=True, readprincipals=True))
# Check privileges - must have at least DAV:read
try:
Modified: CalendarServer/trunk/twistedcaldav/resource.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/resource.py 2008-12-09 23:43:20 UTC (rev 3493)
+++ CalendarServer/trunk/twistedcaldav/resource.py 2008-12-10 04:30:09 UTC (rev 3494)
@@ -1,5 +1,5 @@
##
-# Copyright (c) 2005-2007 Apple Inc. All rights reserved.
+# Copyright (c) 2005-2008 Apple Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -335,8 +335,11 @@
if access.getValue() in (Component.ACCESS_PRIVATE, Component.ACCESS_CONFIDENTIAL, Component.ACCESS_RESTRICTED,):
# Need to insert ACE to prevent non-owner principals from seeing this resource
owner = (yield self.owner(request))
+ newacls = []
if access.getValue() == Component.ACCESS_PRIVATE:
- ace = davxml.ACE(
+ newacls.extend(config.AdminACEs)
+ newacls.extend(config.ReadACEs)
+ newacls.append(davxml.ACE(
davxml.Invert(
davxml.Principal(owner),
),
@@ -349,9 +352,11 @@
),
),
davxml.Protected(),
- )
+ ))
else:
- ace = davxml.ACE(
+ newacls.extend(config.AdminACEs)
+ newacls.extend(config.ReadACEs)
+ newacls.append(davxml.ACE(
davxml.Invert(
davxml.Principal(owner),
),
@@ -361,9 +366,11 @@
),
),
davxml.Protected(),
- )
+ ))
+ newacls.extend(acls.children)
- acls = davxml.ACL(ace, *acls.children)
+ acls = davxml.ACL(*newacls)
+
returnValue(acls)
def owner(self, request):
@@ -391,15 +398,29 @@
d.addCallback(_gotParent)
return d
- def isOwner(self, request):
+ def isOwner(self, request, adminprincipals=False, readprincipals=False):
"""
Determine whether the DAV:owner of this resource matches the currently authorized principal
- in the request.
+ in the request. Optionally test for admin or read principals and allow those.
"""
def _gotOwner(owner):
- return davxml.Principal(owner) == self.currentPrincipal(request)
+ current = self.currentPrincipal(request)
+ if davxml.Principal(owner) == current:
+ return True
+
+ if adminprincipals:
+ for principal in config.AdminPrincipals:
+ if davxml.Principal(davxml.HRef(principal)) == current:
+ return True
+ if readprincipals:
+ for principal in config.AdminPrincipals:
+ if davxml.Principal(davxml.HRef(principal)) == current:
+ return True
+
+ return False
+
d = self.owner(request)
d.addCallback(_gotOwner)
return d
Modified: CalendarServer/trunk/twistedcaldav/static.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/static.py 2008-12-09 23:43:20 UTC (rev 3493)
+++ CalendarServer/trunk/twistedcaldav/static.py 2008-12-10 04:30:09 UTC (rev 3494)
@@ -1,5 +1,5 @@
##
-# Copyright (c) 2005-2007 Apple Inc. All rights reserved.
+# Copyright (c) 2005-2008 Apple Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -250,7 +250,7 @@
filteredaces = yield self.inheritedACEsforChildren(request)
tzids = set()
- isowner = (yield self.isOwner(request))
+ isowner = (yield self.isOwner(request, adminprincipals=True, readprincipals=True))
for name, uid, type in self.index().bruteForceSearch(): #@UnusedVariable
try:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20081209/252da995/attachment-0001.html>
More information about the calendarserver-changes
mailing list