[CalendarServer-changes] [3960] CalendarServer/trunk

source_changes at macosforge.org source_changes at macosforge.org
Wed Apr 8 00:30:42 PDT 2009 

Revision: 3960
          http://trac.macosforge.org/projects/calendarserver/changeset/3960
Author:   sagen at apple.com
Date:     2009-04-08 00:30:41 -0700 (Wed, 08 Apr 2009)
Log Message:
-----------
Even though SACLs are enabled in the plist, if there is not actually a SACL group set for the calendar server, we should allow unauthenticated users in, so they can access publicly available wiki calendars.

Modified Paths:
--------------
    CalendarServer/trunk/calendarserver/platform/darwin/_sacl.c
    CalendarServer/trunk/calendarserver/provision/root.py
    CalendarServer/trunk/twistedcaldav/directory/calendar.py

Modified: CalendarServer/trunk/calendarserver/platform/darwin/_sacl.c
===================================================================
--- CalendarServer/trunk/calendarserver/platform/darwin/_sacl.c	2009-04-08 04:19:58 UTC (rev 3959)
+++ CalendarServer/trunk/calendarserver/platform/darwin/_sacl.c	2009-04-08 07:30:41 UTC (rev 3960)
@@ -30,12 +30,32 @@
     char *serviceName;
     int serviceNameSize;
 
+    char *prefix = "com.apple.access_";
+    char groupName[256];
+    uuid_t group_uu;
+
     // get the args
     if (!PyArg_ParseTuple(args, "s#s#", &username,
                           &usernameSize, &serviceName, &serviceNameSize)) {
         return NULL;
     }
 
+    // If the username is empty, see if there is a com.apple.access_<service>
+    // group
+    if ( usernameSize == 0 ) {
+        memcpy(groupName, prefix, strlen(prefix));
+        strcpy(groupName + strlen(prefix), serviceName);
+        if ( mbr_group_name_to_uuid(groupName, group_uu) == 0 ) {
+            // com.apple.access_<serviceName> group does exist, so
+            // unauthenticated users are not allowed
+            return Py_BuildValue("i", (-1));
+        } else {
+            // com.apple.access_<serviceName> group doesn't exist, so
+            // unauthenticated users are allowed
+            return Py_BuildValue("i", 0);
+        }
+    }
+
     // get a uuid for the user
     uuid_t user;
     int result = mbr_user_name_to_uuid(username, user);

Modified: CalendarServer/trunk/calendarserver/provision/root.py
===================================================================
--- CalendarServer/trunk/calendarserver/provision/root.py	2009-04-08 04:19:58 UTC (rev 3959)
+++ CalendarServer/trunk/calendarserver/provision/root.py	2009-04-08 07:30:41 UTC (rev 3960)
@@ -106,16 +106,20 @@
             ))
             raise HTTPError(response)
 
-        # Ensure that the user is not unauthenticated.
-        # SACLs are authorization for the use of the service,
-        # so unauthenticated access doesn't make any sense.
+        # SACLs are enabled in the plist, but there may not actually
+        # be a SACL group assigned to this service.  Let's see if
+        # unauthenticated users are allowed by calling CheckSACL
+        # with an empty string.
         if authzUser == davxml.Principal(davxml.Unauthenticated()):
-            log.msg("Unauthenticated users not enabled with the %r SACL" % (self.saclService,))
-            response = (yield UnauthorizedResponse.makeResponse(
-                request.credentialFactories,
-                request.remoteAddr
-            ))
-            raise HTTPError(response)
+            if RootResource.CheckSACL("", self.saclService) != 0:
+                log.msg("Unauthenticated users not enabled with the %r SACL" % (self.saclService,))
+                response = (yield UnauthorizedResponse.makeResponse(
+                    request.credentialFactories,
+                    request.remoteAddr
+                ))
+                raise HTTPError(response)
+            else:
+                returnValue(True)
 
         # Cache the authentication details
         request.authnUser = authnUser

Modified: CalendarServer/trunk/twistedcaldav/directory/calendar.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/directory/calendar.py	2009-04-08 04:19:58 UTC (rev 3959)
+++ CalendarServer/trunk/twistedcaldav/directory/calendar.py	2009-04-08 07:30:41 UTC (rev 3960)
@@ -410,7 +410,7 @@
         wikiACL = (yield getWikiACL(self, request))
         if wikiACL is not None:
             # ACL depends on wiki server...
-            log.info("Wiki ACL: %s" % (wikiACL,))
+            log.debug("Wiki ACL: %s" % (wikiACL.toxml(),))
             returnValue(wikiACL)
         else:
             # ...otherwise permissions are fixed, and are not subject to
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20090408/f5c7430e/attachment.html>

More information about the calendarserver-changes mailing list