[CalendarServer-changes] [3960] CalendarServer/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Wed Apr 8 00:30:42 PDT 2009
Revision: 3960
http://trac.macosforge.org/projects/calendarserver/changeset/3960
Author: sagen at apple.com
Date: 2009-04-08 00:30:41 -0700 (Wed, 08 Apr 2009)
Log Message:
-----------
Even though SACLs are enabled in the plist, if there is not actually a SACL group set for the calendar server, we should allow unauthenticated users in, so they can access publicly available wiki calendars.
Modified Paths:
--------------
CalendarServer/trunk/calendarserver/platform/darwin/_sacl.c
CalendarServer/trunk/calendarserver/provision/root.py
CalendarServer/trunk/twistedcaldav/directory/calendar.py
Modified: CalendarServer/trunk/calendarserver/platform/darwin/_sacl.c
===================================================================
--- CalendarServer/trunk/calendarserver/platform/darwin/_sacl.c 2009-04-08 04:19:58 UTC (rev 3959)
+++ CalendarServer/trunk/calendarserver/platform/darwin/_sacl.c 2009-04-08 07:30:41 UTC (rev 3960)
@@ -30,12 +30,32 @@
char *serviceName;
int serviceNameSize;
+ char *prefix = "com.apple.access_";
+ char groupName[256];
+ uuid_t group_uu;
+
// get the args
if (!PyArg_ParseTuple(args, "s#s#", &username,
&usernameSize, &serviceName, &serviceNameSize)) {
return NULL;
}
+ // If the username is empty, see if there is a com.apple.access_<service>
+ // group
+ if ( usernameSize == 0 ) {
+ memcpy(groupName, prefix, strlen(prefix));
+ strcpy(groupName + strlen(prefix), serviceName);
+ if ( mbr_group_name_to_uuid(groupName, group_uu) == 0 ) {
+ // com.apple.access_<serviceName> group does exist, so
+ // unauthenticated users are not allowed
+ return Py_BuildValue("i", (-1));
+ } else {
+ // com.apple.access_<serviceName> group doesn't exist, so
+ // unauthenticated users are allowed
+ return Py_BuildValue("i", 0);
+ }
+ }
+
// get a uuid for the user
uuid_t user;
int result = mbr_user_name_to_uuid(username, user);
Modified: CalendarServer/trunk/calendarserver/provision/root.py
===================================================================
--- CalendarServer/trunk/calendarserver/provision/root.py 2009-04-08 04:19:58 UTC (rev 3959)
+++ CalendarServer/trunk/calendarserver/provision/root.py 2009-04-08 07:30:41 UTC (rev 3960)
@@ -106,16 +106,20 @@
))
raise HTTPError(response)
- # Ensure that the user is not unauthenticated.
- # SACLs are authorization for the use of the service,
- # so unauthenticated access doesn't make any sense.
+ # SACLs are enabled in the plist, but there may not actually
+ # be a SACL group assigned to this service. Let's see if
+ # unauthenticated users are allowed by calling CheckSACL
+ # with an empty string.
if authzUser == davxml.Principal(davxml.Unauthenticated()):
- log.msg("Unauthenticated users not enabled with the %r SACL" % (self.saclService,))
- response = (yield UnauthorizedResponse.makeResponse(
- request.credentialFactories,
- request.remoteAddr
- ))
- raise HTTPError(response)
+ if RootResource.CheckSACL("", self.saclService) != 0:
+ log.msg("Unauthenticated users not enabled with the %r SACL" % (self.saclService,))
+ response = (yield UnauthorizedResponse.makeResponse(
+ request.credentialFactories,
+ request.remoteAddr
+ ))
+ raise HTTPError(response)
+ else:
+ returnValue(True)
# Cache the authentication details
request.authnUser = authnUser
Modified: CalendarServer/trunk/twistedcaldav/directory/calendar.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/directory/calendar.py 2009-04-08 04:19:58 UTC (rev 3959)
+++ CalendarServer/trunk/twistedcaldav/directory/calendar.py 2009-04-08 07:30:41 UTC (rev 3960)
@@ -410,7 +410,7 @@
wikiACL = (yield getWikiACL(self, request))
if wikiACL is not None:
# ACL depends on wiki server...
- log.info("Wiki ACL: %s" % (wikiACL,))
+ log.debug("Wiki ACL: %s" % (wikiACL.toxml(),))
returnValue(wikiACL)
else:
# ...otherwise permissions are fixed, and are not subject to
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20090408/f5c7430e/attachment.html>
More information about the calendarserver-changes
mailing list