[CalendarServer-changes] [2964] CalendarServer/branches/release/CalendarServer-1.3-dev/twistedcaldav /static.py

source_changes at macosforge.org source_changes at macosforge.org
Tue Sep 9 14:59:42 PDT 2008 

Revision: 2964
          http://trac.macosforge.org/projects/calendarserver/changeset/2964
Author:   wsanchez at apple.com
Date:     2008-09-09 14:59:41 -0700 (Tue, 09 Sep 2008)
Log Message:
-----------
Don't expose private events in rolled-up iCalendar data

Modified Paths:
--------------
    CalendarServer/branches/release/CalendarServer-1.3-dev/twistedcaldav/static.py

Modified: CalendarServer/branches/release/CalendarServer-1.3-dev/twistedcaldav/static.py
===================================================================
--- CalendarServer/branches/release/CalendarServer-1.3-dev/twistedcaldav/static.py	2008-09-09 21:54:14 UTC (rev 2963)
+++ CalendarServer/branches/release/CalendarServer-1.3-dev/twistedcaldav/static.py	2008-09-09 21:59:41 UTC (rev 2964)
@@ -59,6 +59,7 @@
 from twistedcaldav.caldavxml import caldav_namespace
 from twistedcaldav.config import config
 from twistedcaldav.directory.directory import DirectoryService
+from twistedcaldav.customxml import TwistedCalendarAccessProperty
 from twistedcaldav.extensions import DAVFile
 from twistedcaldav.ical import Component as iComponent
 from twistedcaldav.ical import Property as iProperty
@@ -183,8 +184,9 @@
             yield filteredaces
             filteredaces = filteredaces.getResult()
 
-            # Must verify ACLs which means we need a request object at this point
             tzids = set()
+            isowner = (yield self.isOwner(request))
+
             for name, uid, type in self.index().search(None): #@UnusedVariable
                 try:
                     child = waitForDeferred(request.locateChildResource(self, name))
@@ -202,7 +204,13 @@
                         d.getResult()
                     except AccessDeniedError:
                         continue
-                    subcalendar = self.iCalendar(name)
+
+                    # Get the access filtered view of the data
+                    caldata = child.iCalendarTextFiltered(isowner)
+                    try:
+                        subcalendar = iComponent.fromString(caldata)
+                    except ValueError:
+                        continue
                     assert subcalendar.name() == "VCALENDAR"
 
                     for component in subcalendar.subcomponents():
@@ -223,6 +231,21 @@
 
     iCalendarRolledup = deferredGenerator(iCalendarRolledup)
 
+    def iCalendarTextFiltered(self, isowner):
+        try:
+            access = self.readDeadProperty(TwistedCalendarAccessProperty)
+        except HTTPError:
+            access = None
+
+        if access in (iComponent.ACCESS_CONFIDENTIAL, iComponent.ACCESS_RESTRICTED):
+
+            if not isowner:
+                # Now "filter" the resource calendar data through the CALDAV:calendar-data element and apply
+                # access restrictions to the data.
+                return caldavxml.CalendarData().elementFromResourceWithAccessRestrictions(self, access).calendarData()
+
+        return self.iCalendarText()
+
     def iCalendarText(self, name=None):
         if self.isPseudoCalendarCollection():
             if name is None:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20080909/be7c33a0/attachment.html

More information about the calendarserver-changes mailing list