[CalendarServer-changes] [2586] CalendarServer/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Tue Jun 17 19:57:02 PDT 2008
Revision: 2586
http://trac.macosforge.org/projects/calendarserver/changeset/2586
Author: wsanchez at apple.com
Date: 2008-06-17 19:57:01 -0700 (Tue, 17 Jun 2008)
Log Message:
-----------
Merge http://svn.calendarserver.org/repository/calendarserver/CalendarServer/branches/users/wsanchez/acl2.
Modified Paths:
--------------
CalendarServer/trunk/conf/accounts-test.xml
CalendarServer/trunk/conf/caldavd-test.plist
CalendarServer/trunk/conf/caldavd.plist
CalendarServer/trunk/twistedcaldav/config.py
CalendarServer/trunk/twistedcaldav/directory/calendar.py
Modified: CalendarServer/trunk/conf/accounts-test.xml
===================================================================
--- CalendarServer/trunk/conf/accounts-test.xml 2008-06-18 02:36:14 UTC (rev 2585)
+++ CalendarServer/trunk/conf/accounts-test.xml 2008-06-18 02:57:01 UTC (rev 2586)
@@ -25,6 +25,12 @@
<password>admin</password>
<name>Super User</name>
</user>
+ <user>
+ <uid>apprentice</uid>
+ <guid>apprentice</guid>
+ <password>apprentice</password>
+ <name>Apprentice Super User</name>
+ </user>
<user repeat="99">
<uid>user%02d</uid>
<guid>user%02d</guid>
Modified: CalendarServer/trunk/conf/caldavd-test.plist
===================================================================
--- CalendarServer/trunk/conf/caldavd-test.plist 2008-06-18 02:36:14 UTC (rev 2585)
+++ CalendarServer/trunk/conf/caldavd-test.plist 2008-06-18 02:57:01 UTC (rev 2586)
@@ -187,6 +187,12 @@
<string>/principals/__uids__/admin/</string>
</array>
+ <!-- Principals with "DAV:read" access (relative URLs) -->
+ <key>ReadPrincipals</key>
+ <array>
+ <!-- <string>/principals/users/apprentice/</string> -->
+ </array>
+
<!-- Principals that can pose as other principals -->
<key>SudoersFile</key>
<string>conf/sudoers.plist</string>
@@ -195,11 +201,24 @@
<key>EnableProxyPrincipals</key>
<true/>
+
+ <!--
+ Permissions
+ -->
+
<!-- Anonymous read access for root resource -->
<key>EnableAnonymousReadRoot</key>
<true/>
+ <!-- Anonymous read access for root resource -->
+ <key>EnableAnonymousReadNav</key>
+ <false/>
+ <!-- Enables directory listings for principals -->
+ <key>EnablePrincipalListings</key>
+ <true/>
+
+
<!--
Authentication
-->
@@ -397,10 +416,6 @@
<key>ResponseCompression</key>
<false/>
- <!-- Enables directory listings for principals -->
- <key>EnablePrincipalListings</key>
- <true/>
-
<!-- Support for Memcached -->
<key>Memcached</key>
<dict>
Modified: CalendarServer/trunk/conf/caldavd.plist
===================================================================
--- CalendarServer/trunk/conf/caldavd.plist 2008-06-18 02:36:14 UTC (rev 2585)
+++ CalendarServer/trunk/conf/caldavd.plist 2008-06-18 02:57:01 UTC (rev 2586)
@@ -139,6 +139,12 @@
<!-- <string>/principals/users/admin/</string> -->
</array>
+ <!-- Principals with "DAV:read" access (relative URLs) -->
+ <key>ReadPrincipals</key>
+ <array>
+ <!-- <string>/principals/users/apprentice/</string> -->
+ </array>
+
<!-- Principals that can pose as other principals -->
<key>SudoersFile</key>
<string>/etc/caldavd/sudoers.plist</string>
@@ -147,11 +153,24 @@
<key>EnableProxyPrincipals</key>
<true/>
+
+ <!--
+ Permissions
+ -->
+
<!-- Anonymous read access for root resource -->
<key>EnableAnonymousReadRoot</key>
<true/>
+ <!-- Anonymous read access for root resource -->
+ <key>EnableAnonymousReadNav</key>
+ <false/>
+ <!-- Enables directory listings for principals -->
+ <key>EnablePrincipalListings</key>
+ <true/>
+
+
<!--
Authentication
-->
@@ -265,11 +284,7 @@
<key>ResponseCompression</key>
<false/>
- <!-- Enables directory listings for principals -->
- <key>EnablePrincipalListings</key>
- <true/>
-
<!--
Non-standard CalDAV extensions
-->
Modified: CalendarServer/trunk/twistedcaldav/config.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/config.py 2008-06-18 02:36:14 UTC (rev 2585)
+++ CalendarServer/trunk/twistedcaldav/config.py 2008-06-18 02:57:01 UTC (rev 2586)
@@ -87,11 +87,18 @@
# Special principals
#
"AdminPrincipals": [], # Principals with "DAV:all" access (relative URLs)
+ "ReadPrincipals": [], # Principals with "DAV:read" access (relative URLs)
"SudoersFile": "/etc/caldavd/sudoers.plist", # Principals that can pose as other principals
"EnableProxyPrincipals": True, # Create "proxy access" principals
- "EnableAnonymousReadRoot": True, # Allow unauthenticated read access to /
#
+ # Permissions
+ #
+ "EnableAnonymousReadRoot": True, # Allow unauthenticated read access to /
+ "EnableAnonymousReadNav": False, # Allow unauthenticated read access to hierachcy
+ "EnablePrincipalListings": True, # Allow listing of principal collections
+
+ #
# Authentication
#
"Authentication": {
@@ -155,11 +162,6 @@
"EnableSACLs": False,
#
- # Enables directory listings for principals
- #
- "EnablePrincipalListings": True,
-
- #
# Non-standard CalDAV extensions
#
"EnableDropBox" : False, # Calendar Drop Box
@@ -268,34 +270,76 @@
del self._data["DirectoryService"]["params"][param]
#
- # Root ACL, derived from AdminPrincipals
+ # Base resource ACLs
#
- if self.EnableAnonymousReadRoot:
- rootReader = davxml.All()
- else:
- rootReader = davxml.Authenticated()
+ def readOnlyACE(allowAnonymous):
+ if allowAnonymous:
+ reader = davxml.All()
+ else:
+ reader = davxml.Authenticated()
- aces = [
- # Read access for authenticated users.
+ return davxml.ACE(
+ davxml.Principal(reader),
+ davxml.Grant(
+ davxml.Privilege(davxml.Read()),
+ davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),
+ ),
+ davxml.Protected(),
+ )
+
+ self.AdminACEs = tuple(
davxml.ACE(
- davxml.Principal(rootReader),
- davxml.Grant(davxml.Privilege(davxml.Read())),
+ davxml.Principal(davxml.HRef(principal)),
+ davxml.Grant(davxml.Privilege(davxml.All())),
davxml.Protected(),
- ),
- ]
+ TwistedACLInheritable(),
+ )
+ for principal in config.AdminPrincipals
+ )
- # FIXME: This should be added to calendar homes, not above.
- for principal in config.AdminPrincipals:
- aces.append(
+ self.ReadACEs = tuple(
+ davxml.ACE(
+ davxml.Principal(davxml.HRef(principal)),
+ davxml.Grant(
+ davxml.Privilege(davxml.Read()),
+ davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),
+ ),
+ davxml.Protected(),
+ TwistedACLInheritable(),
+ )
+ for principal in config.ReadPrincipals
+ )
+
+ self.RootResourceACL = davxml.ACL(
+ # Read-only for anon or authenticated, depending on config
+ readOnlyACE(self.EnableAnonymousReadRoot),
+
+ # Add inheritable all access for admins
+ *self.AdminACEs
+ )
+
+ log.debug("Root ACL: %s" % (self.RootResourceACL.toxml(),))
+
+ self.ProvisioningResourceACL = davxml.ACL(
+ # Read-only for anon or authenticated, depending on config
+ readOnlyACE(self.EnableAnonymousReadNav),
+
+ # Add read and read-acl access for admins
+ *[
davxml.ACE(
davxml.Principal(davxml.HRef(principal)),
- davxml.Grant(davxml.Privilege(davxml.All())),
+ davxml.Grant(
+ davxml.Privilege(davxml.Read()),
+ davxml.Privilege(davxml.ReadACL()),
+ davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),
+ ),
davxml.Protected(),
- TwistedACLInheritable(),
)
- )
+ for principal in config.AdminPrincipals
+ ]
+ )
- self.RootResourceACL = davxml.ACL(*aces)
+ log.debug("Nav ACL: %s" % (self.ProvisioningResourceACL.toxml(),))
#
# FIXME: Use the config object instead of doing this here
Modified: CalendarServer/trunk/twistedcaldav/directory/calendar.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/directory/calendar.py 2008-06-18 02:36:14 UTC (rev 2585)
+++ CalendarServer/trunk/twistedcaldav/directory/calendar.py 2008-06-18 02:57:01 UTC (rev 2586)
@@ -20,6 +20,7 @@
__all__ = [
"uidsResourceName",
+ #"DirectoryCalendarProvisioningResource",
"DirectoryCalendarHomeProvisioningResource",
"DirectoryCalendarHomeTypeProvisioningResource",
"DirectoryCalendarHomeUIDProvisioningResource",
@@ -45,7 +46,21 @@
# Use __underbars__ convention to avoid conflicts with directory resource types.
uidsResourceName = "__uids__"
-class DirectoryCalendarHomeProvisioningResource (AutoProvisioningResourceMixIn, ReadOnlyResourceMixIn, DAVResource):
+
+class DirectoryCalendarProvisioningResource (
+ AutoProvisioningResourceMixIn,
+ ReadOnlyResourceMixIn,
+ DAVResource,
+):
+ def defaultAccessControlList(self):
+ return config.ProvisioningResourceACL
+
+ def accessControlList(self, request, inheritance=True, expanding=False, inherited_aces=None):
+ # Permissions here are fixed, and are not subject to inherritance rules, etc.
+ return succeed(self.defaultAccessControlList())
+
+
+class DirectoryCalendarHomeProvisioningResource (DirectoryCalendarProvisioningResource):
"""
Resource which provisions calendar home collections as needed.
"""
@@ -112,14 +127,8 @@
def isCollection(self):
return True
- ##
- # ACL
- ##
- def defaultAccessControlList(self):
- return readOnlyACL
-
-class DirectoryCalendarHomeTypeProvisioningResource (AutoProvisioningResourceMixIn, ReadOnlyResourceMixIn, DAVResource):
+class DirectoryCalendarHomeTypeProvisioningResource (DirectoryCalendarProvisioningResource):
"""
Resource which provisions calendar home collections of a specific
record type as needed.
@@ -178,9 +187,6 @@
# ACL
##
- def defaultAccessControlList(self):
- return readOnlyACL
-
def principalCollections(self):
return self._parent.principalCollections()
@@ -188,7 +194,7 @@
return self._parent.principalForRecord(record)
-class DirectoryCalendarHomeUIDProvisioningResource (AutoProvisioningResourceMixIn, ReadOnlyResourceMixIn, DAVResource):
+class DirectoryCalendarHomeUIDProvisioningResource (DirectoryCalendarProvisioningResource):
def __init__(self, parent):
"""
@param parent: the parent of this resource
@@ -230,9 +236,6 @@
# ACL
##
- def defaultAccessControlList(self):
- return readOnlyACL
-
def principalCollections(self):
return self.parent.principalCollections()
@@ -270,14 +273,6 @@
assert isinstance(child, cls), "Child %r is not a %s: %r" % (name, cls.__name__, child)
self.putChild(name, child)
-# def provision(self):
-# # If an ACL property does not currently exist, create one from
-# # the defaultACL
-# if not self.hasDeadProperty(davxml.ACL):
-# self.writeDeadProperty(self.defaultAccessControlList())
-#
-# super(DirectoryCalendarHomeResource, self).provision()
-
def provisionDefaultCalendars(self):
self.provision()
@@ -335,7 +330,10 @@
# DAV:read access for authenticated users.
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
- davxml.Grant(davxml.Privilege(davxml.Read())),
+ davxml.Grant(
+ davxml.Privilege(davxml.Read()),
+ davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),
+ ),
),
# Inheritable DAV:all access for the resource's associated principal.
davxml.ACE(
@@ -351,6 +349,12 @@
TwistedACLInheritable(),
),
)
+
+ # Give read access to config.ReadPrincipals
+ aces += config.ReadACEs
+
+ # Give all access to config.AdminPrincipals
+ aces += config.AdminACEs
if config.EnableProxyPrincipals:
aces += (
@@ -372,6 +376,10 @@
return davxml.ACL(*aces)
+ def accessControlList(self, request, inheritance=True, expanding=False, inherited_aces=None):
+ # Permissions here are fixed, and are not subject to inherritance rules, etc.
+ return succeed(self.defaultAccessControlList())
+
def principalCollections(self):
return self.parent.principalCollections()
@@ -397,16 +405,3 @@
return int(str(self.readDeadProperty(TwistedQuotaRootProperty)))
else:
return config.UserQuota
-
-##
-# Utilities
-##
-
-# DAV:read access for authenticated users.
-readOnlyACL = davxml.ACL(
- davxml.ACE(
- davxml.Principal(davxml.Authenticated()),
- davxml.Grant(davxml.Privilege(davxml.Read())),
- davxml.Protected(),
- ),
-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20080617/e8e33fe5/attachment-0001.htm
More information about the calendarserver-changes
mailing list