[CalendarServer-changes] [2583] CalendarServer/branches/users/wsanchez/acl2

source_changes at macosforge.org source_changes at macosforge.org
Tue Jun 17 18:58:38 PDT 2008


Revision: 2583
          http://trac.macosforge.org/projects/calendarserver/changeset/2583
Author:   wsanchez at apple.com
Date:     2008-06-17 18:58:38 -0700 (Tue, 17 Jun 2008)

Log Message:
-----------
Add EnableAnonymousReadNav, which allows admin to specify whether anon users can navigate the /principals and /calendars hierarchy.

Modified Paths:
--------------
    CalendarServer/branches/users/wsanchez/acl2/conf/caldavd-test.plist
    CalendarServer/branches/users/wsanchez/acl2/conf/caldavd.plist
    CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/config.py
    CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/directory/calendar.py

Modified: CalendarServer/branches/users/wsanchez/acl2/conf/caldavd-test.plist
===================================================================
--- CalendarServer/branches/users/wsanchez/acl2/conf/caldavd-test.plist	2008-06-18 01:53:57 UTC (rev 2582)
+++ CalendarServer/branches/users/wsanchez/acl2/conf/caldavd-test.plist	2008-06-18 01:58:38 UTC (rev 2583)
@@ -195,11 +195,24 @@
   <key>EnableProxyPrincipals</key>
   <true/>
 
+
+  <!--
+    Permissions
+   -->
+
   <!-- Anonymous read access for root resource -->
   <key>EnableAnonymousReadRoot</key>
   <true/>
 
+  <!-- Anonymous read access for root resource -->
+  <key>EnableAnonymousReadNav</key>
+  <false/>
 
+  <!-- Enables directory listings for principals -->
+  <key>EnablePrincipalListings</key>
+  <true/>
+
+
   <!--
     Authentication
   -->
@@ -397,10 +410,6 @@
   <key>ResponseCompression</key>
   <false/>
 
-  <!-- Enables directory listings for principals -->
-  <key>EnablePrincipalListings</key>
-  <true/>
-
   <!-- Support for Memcached -->
   <key>Memcached</key>
   <dict>

Modified: CalendarServer/branches/users/wsanchez/acl2/conf/caldavd.plist
===================================================================
--- CalendarServer/branches/users/wsanchez/acl2/conf/caldavd.plist	2008-06-18 01:53:57 UTC (rev 2582)
+++ CalendarServer/branches/users/wsanchez/acl2/conf/caldavd.plist	2008-06-18 01:58:38 UTC (rev 2583)
@@ -147,11 +147,24 @@
   <key>EnableProxyPrincipals</key>
   <true/>
 
+
+  <!--
+    Permissions
+   -->
+
   <!-- Anonymous read access for root resource -->
   <key>EnableAnonymousReadRoot</key>
   <true/>
 
+  <!-- Anonymous read access for root resource -->
+  <key>EnableAnonymousReadNav</key>
+  <false/>
 
+  <!-- Enables directory listings for principals -->
+  <key>EnablePrincipalListings</key>
+  <true/>
+
+
   <!--
     Authentication
   -->
@@ -265,11 +278,7 @@
   <key>ResponseCompression</key>
   <false/>
 
-  <!-- Enables directory listings for principals -->
-  <key>EnablePrincipalListings</key>
-  <true/>
 
-
   <!--
     Non-standard CalDAV extensions
   -->

Modified: CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/config.py
===================================================================
--- CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/config.py	2008-06-18 01:53:57 UTC (rev 2582)
+++ CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/config.py	2008-06-18 01:58:38 UTC (rev 2583)
@@ -89,9 +89,15 @@
     "AdminPrincipals": [],                       # Principals with "DAV:all" access (relative URLs)
     "SudoersFile": "/etc/caldavd/sudoers.plist", # Principals that can pose as other principals
     "EnableProxyPrincipals": True,               # Create "proxy access" principals
-    "EnableAnonymousReadRoot": True,             # Allow unauthenticated read access to /
 
     #
+    # Permissions
+    #
+    "EnableAnonymousReadRoot": True, # Allow unauthenticated read access to /
+    "EnableAnonymousReadNav": False, # Allow unauthenticated read access to hierachcy
+    "EnablePrincipalListings": True, # Allow listing of principal collections
+
+    #
     # Authentication
     #
     "Authentication": {
@@ -155,11 +161,6 @@
     "EnableSACLs": False,
 
     #
-    # Enables directory listings for principals
-    #
-    "EnablePrincipalListings": True,
-
-    #
     # Non-standard CalDAV extensions
     #
     "EnableDropBox"         : False, # Calendar Drop Box
@@ -268,35 +269,60 @@
                 del self._data["DirectoryService"]["params"][param]
 
         #
-        # Root ACL, derived from AdminPrincipals
+        # Base resource ACLs
         #
-        if self.EnableAnonymousReadRoot:
-            rootReader = davxml.All()
-        else:
-            rootReader = davxml.Authenticated()
+        def readOnlyACE(allowAnonymous):
+            if allowAnonymous:
+                reader = davxml.All()
+            else:
+                reader = davxml.Authenticated()
 
-        aces = [
-            # Read access for authenticated users.
-            davxml.ACE(
-                davxml.Principal(rootReader),
+            return davxml.ACE(
+                davxml.Principal(reader),
                 davxml.Grant(davxml.Privilege(davxml.Read())),
                 davxml.Protected(),
-            ),
-        ]
+            )
 
-        # FIXME: This should be added to calendar homes, not above.
-        for principal in config.AdminPrincipals:
-            aces.append(
+        self.RootResourceACL = davxml.ACL(
+            # Read-only for anon or authenticated, depending on config
+            readOnlyACE(self.EnableAnonymousReadRoot),
+
+            # Add inheritable all access for admins
+            *[
                 davxml.ACE(
                     davxml.Principal(davxml.HRef(principal)),
                     davxml.Grant(davxml.Privilege(davxml.All())),
                     davxml.Protected(),
                     TwistedACLInheritable(),
                 )
-            )
+                for principal in config.AdminPrincipals
+            ]
+        )
 
-        self.RootResourceACL = davxml.ACL(*aces)
+        log.debug("Root ACL: %s" % (self.RootResourceACL.toxml(),))
 
+        self.ProvisioningResourceACL = davxml.ACL(
+            # Read-only for anon or authenticated, depending on config
+            readOnlyACE(self.EnableAnonymousReadNav),
+
+            # Add inheritable read and read-acl access for admins
+            *[
+                davxml.ACE(
+                    davxml.Principal(davxml.HRef(principal)),
+                    davxml.Grant(
+                        davxml.Privilege(davxml.Read()),
+                        davxml.Privilege(davxml.ReadACL()),
+                        davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),
+                    ),
+                    davxml.Protected(),
+                    TwistedACLInheritable(),
+                )
+                for principal in config.AdminPrincipals
+            ]
+        )
+
+        log.debug("Nav ACL: %s" % (self.ProvisioningResourceACL.toxml(),))
+
         #
         # FIXME: Use the config object instead of doing this here
         #

Modified: CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/directory/calendar.py
===================================================================
--- CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/directory/calendar.py	2008-06-18 01:53:57 UTC (rev 2582)
+++ CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/directory/calendar.py	2008-06-18 01:58:38 UTC (rev 2583)
@@ -20,6 +20,7 @@
 
 __all__ = [
     "uidsResourceName",
+   #"DirectoryCalendarProvisioningResource",
     "DirectoryCalendarHomeProvisioningResource",
     "DirectoryCalendarHomeTypeProvisioningResource",
     "DirectoryCalendarHomeUIDProvisioningResource",
@@ -45,7 +46,21 @@
 # Use __underbars__ convention to avoid conflicts with directory resource types.
 uidsResourceName = "__uids__"
 
-class DirectoryCalendarHomeProvisioningResource (AutoProvisioningResourceMixIn, ReadOnlyResourceMixIn, DAVResource):
+
+class DirectoryCalendarProvisioningResource (
+    AutoProvisioningResourceMixIn,
+    ReadOnlyResourceMixIn,
+    DAVResource,
+):
+    def defaultAccessControlList(self):
+        return config.ProvisioningResourceACL
+
+    def accessControlList(self, request, inheritance=True, expanding=False, inherited_aces=None):
+        # Permissions here are fixed, and are not subject to inherritance rules, etc.
+        return succeed(self.defaultAccessControlList())
+
+
+class DirectoryCalendarHomeProvisioningResource (DirectoryCalendarProvisioningResource):
     """
     Resource which provisions calendar home collections as needed.    
     """
@@ -112,14 +127,8 @@
     def isCollection(self):
         return True
 
-    ##
-    # ACL
-    ##
 
-    def defaultAccessControlList(self):
-        return readOnlyACL
-
-class DirectoryCalendarHomeTypeProvisioningResource (AutoProvisioningResourceMixIn, ReadOnlyResourceMixIn, DAVResource):
+class DirectoryCalendarHomeTypeProvisioningResource (DirectoryCalendarProvisioningResource):
     """
     Resource which provisions calendar home collections of a specific
     record type as needed.
@@ -178,9 +187,6 @@
     # ACL
     ##
 
-    def defaultAccessControlList(self):
-        return readOnlyACL
-
     def principalCollections(self):
         return self._parent.principalCollections()
 
@@ -188,7 +194,7 @@
         return self._parent.principalForRecord(record)
 
 
-class DirectoryCalendarHomeUIDProvisioningResource (AutoProvisioningResourceMixIn, ReadOnlyResourceMixIn, DAVResource):
+class DirectoryCalendarHomeUIDProvisioningResource (DirectoryCalendarProvisioningResource):
     def __init__(self, parent):
         """
         @param parent: the parent of this resource
@@ -230,9 +236,6 @@
     # ACL
     ##
 
-    def defaultAccessControlList(self):
-        return readOnlyACL
-
     def principalCollections(self):
         return self.parent.principalCollections()
 
@@ -270,14 +273,6 @@
             assert isinstance(child, cls), "Child %r is not a %s: %r" % (name, cls.__name__, child)
             self.putChild(name, child)
 
-#    def provision(self):
-#        # If an ACL property does not currently exist, create one from
-#        # the defaultACL
-#        if not self.hasDeadProperty(davxml.ACL):
-#            self.writeDeadProperty(self.defaultAccessControlList())
-#        
-#        super(DirectoryCalendarHomeResource, self).provision()
-
     def provisionDefaultCalendars(self):
         self.provision()
 
@@ -397,16 +392,3 @@
             return int(str(self.readDeadProperty(TwistedQuotaRootProperty)))
         else:
             return config.UserQuota
-
-##
-# Utilities
-##
-
-# DAV:read access for authenticated users.
-readOnlyACL = davxml.ACL(
-    davxml.ACE(
-        davxml.Principal(davxml.Authenticated()),
-        davxml.Grant(davxml.Privilege(davxml.Read())),
-        davxml.Protected(),
-    ),
-)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20080617/72b3a12e/attachment-0001.htm 


More information about the calendarserver-changes mailing list