[CalendarServer-changes] [2216] CalendarServer/branches/users/wsanchez/guid-calendars/twistedcaldav/ schedule.py

source_changes at macosforge.org source_changes at macosforge.org
Fri Mar 7 11:54:36 PST 2008 

Revision: 2216
          http://trac.macosforge.org/projects/calendarserver/changeset/2216
Author:   wsanchez at apple.com
Date:     2008-03-07 11:54:35 -0800 (Fri, 07 Mar 2008)

Log Message:
-----------
Check access based on resource owner, not resource URL.

Modified Paths:
--------------
    CalendarServer/branches/users/wsanchez/guid-calendars/twistedcaldav/schedule.py

Modified: CalendarServer/branches/users/wsanchez/guid-calendars/twistedcaldav/schedule.py
===================================================================
--- CalendarServer/branches/users/wsanchez/guid-calendars/twistedcaldav/schedule.py	2008-03-07 19:33:47 UTC (rev 2215)
+++ CalendarServer/branches/users/wsanchez/guid-calendars/twistedcaldav/schedule.py	2008-03-07 19:54:35 UTC (rev 2216)
@@ -278,18 +278,15 @@
             raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (calendarserver_namespace, "no-access-restrictions")))
     
         # Verify that the ORGANIZER's cu address maps to the request.uri
-        outboxURL = None
         organizer = calendar.getOrganizer()
         if organizer is not None:
             organizerPrincipal = self.principalForCalendarUserAddress(organizer)
-            if organizerPrincipal is not None:
-                outboxURL = organizerPrincipal.scheduleOutboxURL()
-        if outboxURL is None:
-            logging.err("ORGANIZER in calendar data is not valid: %s" % (calendar,), system="CalDAV Outbox POST")
-            raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "organizer-allowed")))
 
         # Prevent spoofing of ORGANIZER with specific METHODs
-        if (calendar.propertyValue("METHOD") in ("PUBLISH", "REQUEST", "ADD", "CANCEL", "DECLINECOUNTER")) and (outboxURL != request.uri):
+        if (
+            calendar.propertyValue("METHOD") in ("PUBLISH", "REQUEST", "ADD", "CANCEL", "DECLINECOUNTER") and
+            organizerPrincipal.record != self.parent.record
+        ):
             logging.err("ORGANIZER in calendar data does not match owner of Outbox: %s" % (calendar,), system="CalDAV Outbox POST")
             raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "organizer-allowed")))
 
@@ -305,11 +302,8 @@
                 raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "attendee-allowed")))
             
             # Attendee's Outbox MUST be the request URI
-            attendeeOutboxURL = None
             attendeePrincipal = self.principalForCalendarUserAddress(attendees[0])
-            if attendeePrincipal is not None:
-                attendeeOutboxURL = attendeePrincipal.scheduleOutboxURL()
-            if attendeeOutboxURL is None or attendeeOutboxURL != request.uri:
+            if attendeePrincipal is None or attendeePrincipal.record != self.parent.record:
                 logging.err("ATTENDEE in calendar data does not match owner of Outbox: %s" % (calendar,), system="CalDAV Outbox POST")
                 raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "attendee-allowed")))
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20080307/2ee250b5/attachment.html

More information about the calendarserver-changes mailing list