[CalendarServer-changes] [2216] CalendarServer/branches/users/wsanchez/guid-calendars/twistedcaldav/ schedule.py
source_changes at macosforge.org
source_changes at macosforge.org
Fri Mar 7 11:54:36 PST 2008
Revision: 2216
http://trac.macosforge.org/projects/calendarserver/changeset/2216
Author: wsanchez at apple.com
Date: 2008-03-07 11:54:35 -0800 (Fri, 07 Mar 2008)
Log Message:
-----------
Check access based on resource owner, not resource URL.
Modified Paths:
--------------
CalendarServer/branches/users/wsanchez/guid-calendars/twistedcaldav/schedule.py
Modified: CalendarServer/branches/users/wsanchez/guid-calendars/twistedcaldav/schedule.py
===================================================================
--- CalendarServer/branches/users/wsanchez/guid-calendars/twistedcaldav/schedule.py 2008-03-07 19:33:47 UTC (rev 2215)
+++ CalendarServer/branches/users/wsanchez/guid-calendars/twistedcaldav/schedule.py 2008-03-07 19:54:35 UTC (rev 2216)
@@ -278,18 +278,15 @@
raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (calendarserver_namespace, "no-access-restrictions")))
# Verify that the ORGANIZER's cu address maps to the request.uri
- outboxURL = None
organizer = calendar.getOrganizer()
if organizer is not None:
organizerPrincipal = self.principalForCalendarUserAddress(organizer)
- if organizerPrincipal is not None:
- outboxURL = organizerPrincipal.scheduleOutboxURL()
- if outboxURL is None:
- logging.err("ORGANIZER in calendar data is not valid: %s" % (calendar,), system="CalDAV Outbox POST")
- raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "organizer-allowed")))
# Prevent spoofing of ORGANIZER with specific METHODs
- if (calendar.propertyValue("METHOD") in ("PUBLISH", "REQUEST", "ADD", "CANCEL", "DECLINECOUNTER")) and (outboxURL != request.uri):
+ if (
+ calendar.propertyValue("METHOD") in ("PUBLISH", "REQUEST", "ADD", "CANCEL", "DECLINECOUNTER") and
+ organizerPrincipal.record != self.parent.record
+ ):
logging.err("ORGANIZER in calendar data does not match owner of Outbox: %s" % (calendar,), system="CalDAV Outbox POST")
raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "organizer-allowed")))
@@ -305,11 +302,8 @@
raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "attendee-allowed")))
# Attendee's Outbox MUST be the request URI
- attendeeOutboxURL = None
attendeePrincipal = self.principalForCalendarUserAddress(attendees[0])
- if attendeePrincipal is not None:
- attendeeOutboxURL = attendeePrincipal.scheduleOutboxURL()
- if attendeeOutboxURL is None or attendeeOutboxURL != request.uri:
+ if attendeePrincipal is None or attendeePrincipal.record != self.parent.record:
logging.err("ATTENDEE in calendar data does not match owner of Outbox: %s" % (calendar,), system="CalDAV Outbox POST")
raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "attendee-allowed")))
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20080307/2ee250b5/attachment.html
More information about the calendarserver-changes
mailing list