[CalendarServer-changes] [2584] CalendarServer/branches/users/wsanchez/acl2
source_changes at macosforge.org
source_changes at macosforge.org
Tue Jun 17 19:23:25 PDT 2008
Revision: 2584
http://trac.macosforge.org/projects/calendarserver/changeset/2584
Author: wsanchez at apple.com
Date: 2008-06-17 19:23:25 -0700 (Tue, 17 Jun 2008)
Log Message:
-----------
Add admin privs to calendar homes.
Admin privs on provisioning resources doesn't need to be inheritable.
Modified Paths:
--------------
CalendarServer/branches/users/wsanchez/acl2/conf/accounts-test.xml
CalendarServer/branches/users/wsanchez/acl2/conf/caldavd-test.plist
CalendarServer/branches/users/wsanchez/acl2/conf/caldavd.plist
CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/config.py
CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/directory/calendar.py
Modified: CalendarServer/branches/users/wsanchez/acl2/conf/accounts-test.xml
===================================================================
--- CalendarServer/branches/users/wsanchez/acl2/conf/accounts-test.xml 2008-06-18 01:58:38 UTC (rev 2583)
+++ CalendarServer/branches/users/wsanchez/acl2/conf/accounts-test.xml 2008-06-18 02:23:25 UTC (rev 2584)
@@ -25,6 +25,12 @@
<password>admin</password>
<name>Super User</name>
</user>
+ <user>
+ <uid>apprentice</uid>
+ <guid>apprentice</guid>
+ <password>apprentice</password>
+ <name>Apprentice Super User</name>
+ </user>
<user repeat="99">
<uid>user%02d</uid>
<guid>user%02d</guid>
Modified: CalendarServer/branches/users/wsanchez/acl2/conf/caldavd-test.plist
===================================================================
--- CalendarServer/branches/users/wsanchez/acl2/conf/caldavd-test.plist 2008-06-18 01:58:38 UTC (rev 2583)
+++ CalendarServer/branches/users/wsanchez/acl2/conf/caldavd-test.plist 2008-06-18 02:23:25 UTC (rev 2584)
@@ -187,6 +187,12 @@
<string>/principals/__uids__/admin/</string>
</array>
+ <!-- Principals with "DAV:read" access (relative URLs) -->
+ <key>ReadPrincipals</key>
+ <array>
+ <!-- <string>/principals/users/apprentice/</string> -->
+ </array>
+
<!-- Principals that can pose as other principals -->
<key>SudoersFile</key>
<string>conf/sudoers.plist</string>
Modified: CalendarServer/branches/users/wsanchez/acl2/conf/caldavd.plist
===================================================================
--- CalendarServer/branches/users/wsanchez/acl2/conf/caldavd.plist 2008-06-18 01:58:38 UTC (rev 2583)
+++ CalendarServer/branches/users/wsanchez/acl2/conf/caldavd.plist 2008-06-18 02:23:25 UTC (rev 2584)
@@ -139,6 +139,12 @@
<!-- <string>/principals/users/admin/</string> -->
</array>
+ <!-- Principals with "DAV:read" access (relative URLs) -->
+ <key>ReadPrincipals</key>
+ <array>
+ <!-- <string>/principals/users/apprentice/</string> -->
+ </array>
+
<!-- Principals that can pose as other principals -->
<key>SudoersFile</key>
<string>/etc/caldavd/sudoers.plist</string>
Modified: CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/config.py
===================================================================
--- CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/config.py 2008-06-18 01:58:38 UTC (rev 2583)
+++ CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/config.py 2008-06-18 02:23:25 UTC (rev 2584)
@@ -279,24 +279,29 @@
return davxml.ACE(
davxml.Principal(reader),
- davxml.Grant(davxml.Privilege(davxml.Read())),
+ davxml.Grant(
+ davxml.Privilege(davxml.Read()),
+ davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),
+ ),
davxml.Protected(),
)
+ self.AdminACEs = tuple(
+ davxml.ACE(
+ davxml.Principal(davxml.HRef(principal)),
+ davxml.Grant(davxml.Privilege(davxml.All())),
+ davxml.Protected(),
+ TwistedACLInheritable(),
+ )
+ for principal in config.AdminPrincipals
+ )
+
self.RootResourceACL = davxml.ACL(
# Read-only for anon or authenticated, depending on config
readOnlyACE(self.EnableAnonymousReadRoot),
# Add inheritable all access for admins
- *[
- davxml.ACE(
- davxml.Principal(davxml.HRef(principal)),
- davxml.Grant(davxml.Privilege(davxml.All())),
- davxml.Protected(),
- TwistedACLInheritable(),
- )
- for principal in config.AdminPrincipals
- ]
+ *self.AdminACEs
)
log.debug("Root ACL: %s" % (self.RootResourceACL.toxml(),))
@@ -305,7 +310,7 @@
# Read-only for anon or authenticated, depending on config
readOnlyACE(self.EnableAnonymousReadNav),
- # Add inheritable read and read-acl access for admins
+ # Add read and read-acl access for admins
*[
davxml.ACE(
davxml.Principal(davxml.HRef(principal)),
@@ -315,7 +320,6 @@
davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),
),
davxml.Protected(),
- TwistedACLInheritable(),
)
for principal in config.AdminPrincipals
]
Modified: CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/directory/calendar.py
===================================================================
--- CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/directory/calendar.py 2008-06-18 01:58:38 UTC (rev 2583)
+++ CalendarServer/branches/users/wsanchez/acl2/twistedcaldav/directory/calendar.py 2008-06-18 02:23:25 UTC (rev 2584)
@@ -345,7 +345,7 @@
davxml.Grant(davxml.Privilege(caldavxml.ReadFreeBusy())),
TwistedACLInheritable(),
),
- )
+ ) + config.AdminACEs
if config.EnableProxyPrincipals:
aces += (
@@ -367,6 +367,10 @@
return davxml.ACL(*aces)
+ def accessControlList(self, request, inheritance=True, expanding=False, inherited_aces=None):
+ # Permissions here are fixed, and are not subject to inherritance rules, etc.
+ return succeed(self.defaultAccessControlList())
+
def principalCollections(self):
return self.parent.principalCollections()
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20080617/06d35a9b/attachment.htm
More information about the calendarserver-changes
mailing list