[CalendarServer-changes] [2567] CalendarServer/branches/users/wsanchez/fixed-acls/twistedcaldav
source_changes at macosforge.org
source_changes at macosforge.org
Mon Jun 16 18:40:00 PDT 2008
Revision: 2567
http://trac.macosforge.org/projects/calendarserver/changeset/2567
Author: wsanchez at apple.com
Date: 2008-06-16 18:39:59 -0700 (Mon, 16 Jun 2008)
Log Message:
-----------
Root resource ACL comes from config object, not dead property store.
Modified Paths:
--------------
CalendarServer/branches/users/wsanchez/fixed-acls/twistedcaldav/config.py
CalendarServer/branches/users/wsanchez/fixed-acls/twistedcaldav/root.py
CalendarServer/branches/users/wsanchez/fixed-acls/twistedcaldav/tap.py
Modified: CalendarServer/branches/users/wsanchez/fixed-acls/twistedcaldav/config.py
===================================================================
--- CalendarServer/branches/users/wsanchez/fixed-acls/twistedcaldav/config.py 2008-06-17 01:37:14 UTC (rev 2566)
+++ CalendarServer/branches/users/wsanchez/fixed-acls/twistedcaldav/config.py 2008-06-17 01:39:59 UTC (rev 2567)
@@ -17,6 +17,8 @@
import os
import copy
+from twisted.web2.dav import davxml
+from twisted.web2.dav.resource import TwistedACLInheritable
from twistedcaldav.py.plistlib import readPlist
from twistedcaldav.log import Logger
@@ -232,6 +234,9 @@
return str(self._data)
def update(self, items):
+ #
+ # Special handling for directory services configs
+ #
dsType = items.get("DirectoryService", {}).get("type", None)
if dsType is None:
dsType = self._data["DirectoryService"]["type"]
@@ -257,6 +262,31 @@
del self._data["DirectoryService"]["params"][param]
#
+ # Root ACL, derived from AdminPrincipals
+ #
+ aces = [
+ # Read access for authenticated users.
+ davxml.ACE(
+ davxml.Principal(davxml.Authenticated()),
+ davxml.Grant(davxml.Privilege(davxml.Read())),
+ davxml.Protected(),
+ ),
+ ]
+
+ # FIXME: This should be added to calendar homes, not above.
+ for principal in config.AdminPrincipals:
+ aces.append(
+ davxml.ACE(
+ davxml.Principal(davxml.HRef(principal)),
+ davxml.Grant(davxml.Privilege(davxml.All())),
+ davxml.Protected(),
+ TwistedACLInheritable(),
+ )
+ )
+
+ self.rootACL = davxml.ACL(*aces)
+
+ #
# FIXME: Use the config object instead of doing this here
#
from twistedcaldav.resource import CalendarPrincipalResource
Modified: CalendarServer/branches/users/wsanchez/fixed-acls/twistedcaldav/root.py
===================================================================
--- CalendarServer/branches/users/wsanchez/fixed-acls/twistedcaldav/root.py 2008-06-17 01:37:14 UTC (rev 2566)
+++ CalendarServer/branches/users/wsanchez/fixed-acls/twistedcaldav/root.py 2008-06-17 01:39:59 UTC (rev 2567)
@@ -14,7 +14,12 @@
# limitations under the License.
##
-from twisted.internet import defer
+__all__ = [
+ "RootACLMixIn",
+ "RootResource",
+]
+
+from twisted.internet.defer import maybeDeferred, succeed
from twisted.python.failure import Failure
from twisted.cred.error import LoginFailed, UnauthorizedLogin
@@ -34,7 +39,17 @@
log = Logger()
-class RootResource(DAVFile):
+
+class RootACLMixIn (object):
+ def defaultAccessControlList(self):
+ return config.rootACL
+
+ def accessControlList(self, request, inheritance=True, expanding=False, inherited_aces=None):
+ # Permissions here are fixed, and are not subject to inherritance rules, etc.
+ return succeed(self.defaultAccessControlList())
+
+
+class RootResource (RootACLMixIn, DAVFile):
"""
A special root resource that contains support checking SACLs
as well as adding responseFilters.
@@ -123,7 +138,7 @@
d.addCallback(_checkedSACLCb)
return d
- d = defer.maybeDeferred(self.authenticate, request)
+ d = maybeDeferred(self.authenticate, request)
d.addCallbacks(_authCb, _authEb)
d.addCallback(_checkSACLCb)
return d
@@ -174,7 +189,7 @@
if request.method == 'PROPFIND' and not getattr(
request, 'notInCache', False):
- d = defer.maybeDeferred(self.authenticate, request)
+ d = maybeDeferred(self.authenticate, request)
d.addCallbacks(_authCb, _authEb)
d.addCallback(_getCachedResource, request)
d.addErrback(_resourceNotInCacheEb)
Modified: CalendarServer/branches/users/wsanchez/fixed-acls/twistedcaldav/tap.py
===================================================================
--- CalendarServer/branches/users/wsanchez/fixed-acls/twistedcaldav/tap.py 2008-06-17 01:37:14 UTC (rev 2566)
+++ CalendarServer/branches/users/wsanchez/fixed-acls/twistedcaldav/tap.py 2008-06-17 01:39:59 UTC (rev 2567)
@@ -34,8 +34,6 @@
from twisted.cred.portal import Portal
from twisted.web2.dav import auth
-from twisted.web2.dav import davxml
-from twisted.web2.dav.resource import TwistedACLInheritable
from twisted.web2.auth.basic import BasicCredentialFactory
from twisted.web2.channel import http
@@ -518,7 +516,7 @@
root.putChild('principals', principalCollection)
root.putChild('calendars', calendarCollection)
- # Timezone service is optional
+ # Timezone service is optional
if config.EnableTimezoneService:
timezoneService = self.timezoneServiceResourceClass(
os.path.join(config.DocumentRoot, "timezones"),
@@ -526,35 +524,6 @@
)
root.putChild('timezones', timezoneService)
- # Configure default ACLs on the root resource
-
- log.info("Setting up default ACEs on root resource")
-
- rootACEs = [
- davxml.ACE(
- davxml.Principal(davxml.All()),
- davxml.Grant(davxml.Privilege(davxml.Read())),
- ),
- ]
-
- log.info("Setting up AdminPrincipals")
-
- for principal in config.AdminPrincipals:
- log.info("Added %s as admin principal" % (principal,))
-
- rootACEs.append(
- davxml.ACE(
- davxml.Principal(davxml.HRef(principal)),
- davxml.Grant(davxml.Privilege(davxml.All())),
- davxml.Protected(),
- TwistedACLInheritable(),
- )
- )
-
- log.info("Setting root ACL")
-
- root.setAccessControlList(davxml.ACL(*rootACEs))
-
#
# Configure ancillary data
#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20080616/058ab189/attachment-0001.htm
More information about the calendarserver-changes
mailing list