[CalendarServer-changes] [2583] CalendarServer/branches/users/wsanchez/acl2
source_changes at macosforge.org
source_changes at macosforge.org
Tue Jun 17 18:58:38 PDT 2008
Revision: 2583
http://trac.macosforge.org/projects/calendarserver/changeset/2583
Author: wsanchez at apple.com
Date: 2008-06-17 18:58:38 -0700 (Tue, 17 Jun 2008)
Log Message:
-----------
Add EnableAnonymousReadNav, which allows admin to specify whether anon users can navigate the /principals and /calendars hierarchy.
Modified Paths:
--------------
CalendarServer/branches/users/wsanchez/acl2/conf/caldavd-test.plist
CalendarServer/branches/users/wsanchez/acl2/conf/caldavd.plist
CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/config.py
CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/directory/calendar.py
Modified: CalendarServer/branches/users/wsanchez/acl2/conf/caldavd-test.plist
===================================================================
--- CalendarServer/branches/users/wsanchez/acl2/conf/caldavd-test.plist 2008-06-18 01:53:57 UTC (rev 2582)
+++ CalendarServer/branches/users/wsanchez/acl2/conf/caldavd-test.plist 2008-06-18 01:58:38 UTC (rev 2583)
@@ -195,11 +195,24 @@
<key>EnableProxyPrincipals</key>
<true/>
+
+ <!--
+ Permissions
+ -->
+
<!-- Anonymous read access for root resource -->
<key>EnableAnonymousReadRoot</key>
<true/>
+ <!-- Anonymous read access for root resource -->
+ <key>EnableAnonymousReadNav</key>
+ <false/>
+ <!-- Enables directory listings for principals -->
+ <key>EnablePrincipalListings</key>
+ <true/>
+
+
<!--
Authentication
-->
@@ -397,10 +410,6 @@
<key>ResponseCompression</key>
<false/>
- <!-- Enables directory listings for principals -->
- <key>EnablePrincipalListings</key>
- <true/>
-
<!-- Support for Memcached -->
<key>Memcached</key>
<dict>
Modified: CalendarServer/branches/users/wsanchez/acl2/conf/caldavd.plist
===================================================================
--- CalendarServer/branches/users/wsanchez/acl2/conf/caldavd.plist 2008-06-18 01:53:57 UTC (rev 2582)
+++ CalendarServer/branches/users/wsanchez/acl2/conf/caldavd.plist 2008-06-18 01:58:38 UTC (rev 2583)
@@ -147,11 +147,24 @@
<key>EnableProxyPrincipals</key>
<true/>
+
+ <!--
+ Permissions
+ -->
+
<!-- Anonymous read access for root resource -->
<key>EnableAnonymousReadRoot</key>
<true/>
+ <!-- Anonymous read access for root resource -->
+ <key>EnableAnonymousReadNav</key>
+ <false/>
+ <!-- Enables directory listings for principals -->
+ <key>EnablePrincipalListings</key>
+ <true/>
+
+
<!--
Authentication
-->
@@ -265,11 +278,7 @@
<key>ResponseCompression</key>
<false/>
- <!-- Enables directory listings for principals -->
- <key>EnablePrincipalListings</key>
- <true/>
-
<!--
Non-standard CalDAV extensions
-->
Modified: CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/config.py
===================================================================
--- CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/config.py 2008-06-18 01:53:57 UTC (rev 2582)
+++ CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/config.py 2008-06-18 01:58:38 UTC (rev 2583)
@@ -89,9 +89,15 @@
"AdminPrincipals": [], # Principals with "DAV:all" access (relative URLs)
"SudoersFile": "/etc/caldavd/sudoers.plist", # Principals that can pose as other principals
"EnableProxyPrincipals": True, # Create "proxy access" principals
- "EnableAnonymousReadRoot": True, # Allow unauthenticated read access to /
#
+ # Permissions
+ #
+ "EnableAnonymousReadRoot": True, # Allow unauthenticated read access to /
+ "EnableAnonymousReadNav": False, # Allow unauthenticated read access to hierachcy
+ "EnablePrincipalListings": True, # Allow listing of principal collections
+
+ #
# Authentication
#
"Authentication": {
@@ -155,11 +161,6 @@
"EnableSACLs": False,
#
- # Enables directory listings for principals
- #
- "EnablePrincipalListings": True,
-
- #
# Non-standard CalDAV extensions
#
"EnableDropBox" : False, # Calendar Drop Box
@@ -268,35 +269,60 @@
del self._data["DirectoryService"]["params"][param]
#
- # Root ACL, derived from AdminPrincipals
+ # Base resource ACLs
#
- if self.EnableAnonymousReadRoot:
- rootReader = davxml.All()
- else:
- rootReader = davxml.Authenticated()
+ def readOnlyACE(allowAnonymous):
+ if allowAnonymous:
+ reader = davxml.All()
+ else:
+ reader = davxml.Authenticated()
- aces = [
- # Read access for authenticated users.
- davxml.ACE(
- davxml.Principal(rootReader),
+ return davxml.ACE(
+ davxml.Principal(reader),
davxml.Grant(davxml.Privilege(davxml.Read())),
davxml.Protected(),
- ),
- ]
+ )
- # FIXME: This should be added to calendar homes, not above.
- for principal in config.AdminPrincipals:
- aces.append(
+ self.RootResourceACL = davxml.ACL(
+ # Read-only for anon or authenticated, depending on config
+ readOnlyACE(self.EnableAnonymousReadRoot),
+
+ # Add inheritable all access for admins
+ *[
davxml.ACE(
davxml.Principal(davxml.HRef(principal)),
davxml.Grant(davxml.Privilege(davxml.All())),
davxml.Protected(),
TwistedACLInheritable(),
)
- )
+ for principal in config.AdminPrincipals
+ ]
+ )
- self.RootResourceACL = davxml.ACL(*aces)
+ log.debug("Root ACL: %s" % (self.RootResourceACL.toxml(),))
+ self.ProvisioningResourceACL = davxml.ACL(
+ # Read-only for anon or authenticated, depending on config
+ readOnlyACE(self.EnableAnonymousReadNav),
+
+ # Add inheritable read and read-acl access for admins
+ *[
+ davxml.ACE(
+ davxml.Principal(davxml.HRef(principal)),
+ davxml.Grant(
+ davxml.Privilege(davxml.Read()),
+ davxml.Privilege(davxml.ReadACL()),
+ davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),
+ ),
+ davxml.Protected(),
+ TwistedACLInheritable(),
+ )
+ for principal in config.AdminPrincipals
+ ]
+ )
+
+ log.debug("Nav ACL: %s" % (self.ProvisioningResourceACL.toxml(),))
+
#
# FIXME: Use the config object instead of doing this here
#
Modified: CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/directory/calendar.py
===================================================================
--- CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/directory/calendar.py 2008-06-18 01:53:57 UTC (rev 2582)
+++ CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/directory/calendar.py 2008-06-18 01:58:38 UTC (rev 2583)
@@ -20,6 +20,7 @@
__all__ = [
"uidsResourceName",
+ #"DirectoryCalendarProvisioningResource",
"DirectoryCalendarHomeProvisioningResource",
"DirectoryCalendarHomeTypeProvisioningResource",
"DirectoryCalendarHomeUIDProvisioningResource",
@@ -45,7 +46,21 @@
# Use __underbars__ convention to avoid conflicts with directory resource types.
uidsResourceName = "__uids__"
-class DirectoryCalendarHomeProvisioningResource (AutoProvisioningResourceMixIn, ReadOnlyResourceMixIn, DAVResource):
+
+class DirectoryCalendarProvisioningResource (
+ AutoProvisioningResourceMixIn,
+ ReadOnlyResourceMixIn,
+ DAVResource,
+):
+ def defaultAccessControlList(self):
+ return config.ProvisioningResourceACL
+
+ def accessControlList(self, request, inheritance=True, expanding=False, inherited_aces=None):
+ # Permissions here are fixed, and are not subject to inherritance rules, etc.
+ return succeed(self.defaultAccessControlList())
+
+
+class DirectoryCalendarHomeProvisioningResource (DirectoryCalendarProvisioningResource):
"""
Resource which provisions calendar home collections as needed.
"""
@@ -112,14 +127,8 @@
def isCollection(self):
return True
- ##
- # ACL
- ##
- def defaultAccessControlList(self):
- return readOnlyACL
-
-class DirectoryCalendarHomeTypeProvisioningResource (AutoProvisioningResourceMixIn, ReadOnlyResourceMixIn, DAVResource):
+class DirectoryCalendarHomeTypeProvisioningResource (DirectoryCalendarProvisioningResource):
"""
Resource which provisions calendar home collections of a specific
record type as needed.
@@ -178,9 +187,6 @@
# ACL
##
- def defaultAccessControlList(self):
- return readOnlyACL
-
def principalCollections(self):
return self._parent.principalCollections()
@@ -188,7 +194,7 @@
return self._parent.principalForRecord(record)
-class DirectoryCalendarHomeUIDProvisioningResource (AutoProvisioningResourceMixIn, ReadOnlyResourceMixIn, DAVResource):
+class DirectoryCalendarHomeUIDProvisioningResource (DirectoryCalendarProvisioningResource):
def __init__(self, parent):
"""
@param parent: the parent of this resource
@@ -230,9 +236,6 @@
# ACL
##
- def defaultAccessControlList(self):
- return readOnlyACL
-
def principalCollections(self):
return self.parent.principalCollections()
@@ -270,14 +273,6 @@
assert isinstance(child, cls), "Child %r is not a %s: %r" % (name, cls.__name__, child)
self.putChild(name, child)
-# def provision(self):
-# # If an ACL property does not currently exist, create one from
-# # the defaultACL
-# if not self.hasDeadProperty(davxml.ACL):
-# self.writeDeadProperty(self.defaultAccessControlList())
-#
-# super(DirectoryCalendarHomeResource, self).provision()
-
def provisionDefaultCalendars(self):
self.provision()
@@ -397,16 +392,3 @@
return int(str(self.readDeadProperty(TwistedQuotaRootProperty)))
else:
return config.UserQuota
-
-##
-# Utilities
-##
-
-# DAV:read access for authenticated users.
-readOnlyACL = davxml.ACL(
- davxml.ACE(
- davxml.Principal(davxml.Authenticated()),
- davxml.Grant(davxml.Privilege(davxml.Read())),
- davxml.Protected(),
- ),
-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20080617/72b3a12e/attachment-0001.htm
More information about the calendarserver-changes
mailing list