[CalendarServer-changes] [4055] CalendarServer/branches/users/sagen/wikiauth-4053
source_changes at macosforge.org
source_changes at macosforge.org
Tue Apr 21 17:20:05 PDT 2009
Revision: 4055
http://trac.macosforge.org/projects/calendarserver/changeset/4055
Author: sagen at apple.com
Date: 2009-04-21 17:20:05 -0700 (Tue, 21 Apr 2009)
Log Message:
-----------
Work in progress towards fixing wiki auth for users who are not provisioned for calendars, yet the wiki says they have permission to modify a group calendar.
Modified Paths:
--------------
CalendarServer/branches/users/sagen/wikiauth-4053/calendarserver/provision/root.py
CalendarServer/branches/users/sagen/wikiauth-4053/twistedcaldav/directory/principal.py
CalendarServer/branches/users/sagen/wikiauth-4053/twistedcaldav/directory/wiki.py
Modified: CalendarServer/branches/users/sagen/wikiauth-4053/calendarserver/provision/root.py
===================================================================
--- CalendarServer/branches/users/sagen/wikiauth-4053/calendarserver/provision/root.py 2009-04-22 00:18:26 UTC (rev 4054)
+++ CalendarServer/branches/users/sagen/wikiauth-4053/calendarserver/provision/root.py 2009-04-22 00:20:05 UTC (rev 4055)
@@ -37,7 +37,7 @@
from twistedcaldav.cache import MemcacheResponseCache, MemcacheChangeNotifier
from twistedcaldav.cache import DisabledCache
from twistedcaldav.static import CalendarHomeFile
-from twistedcaldav.directory.principal import DirectoryPrincipalResource
+from twistedcaldav.directory.principal import DirectoryPrincipalResource, DirectoryCalendarPrincipalResource
log = Logger()
@@ -186,8 +186,35 @@
responsecode.FORBIDDEN,
"The username (%s) corresponding to your sessionID was not found by calendar server." % (username,)
))
- request.authnUser = request.authzUser = davxml.Principal(
- davxml.HRef.fromString("/principals/__uids__/%s/" % (record.guid,)))
+ for collection in self.principalCollections():
+ principal = collection.principalForRecord(record)
+ if principal is not None:
+ break
+ else:
+ # Can't find principal
+ raise HTTPError(StatusResponse(
+ responsecode.FORBIDDEN,
+ "The principal corresponding to your username (%s) was not found by calendar server." % (username,)
+ ))
+
+ request.authzUser = request.authnUser = davxml.Principal(
+ davxml.HRef.fromString("/principals/__uids__/%s/" % (record.guid,))
+ )
+
+ if not isinstance(principal, DirectoryCalendarPrincipalResource):
+ # Not enabled for calendaring, so use the wiki principal as authzUser if the resource is within
+ # a wiki. Examining the segments to determine this:
+ if len(segments) > 2 and segments[0] in ("principals", "calendars"):
+ wikiName = None
+ if segments[1] == "wikis":
+ wikiName = segments[2]
+ elif segments[1] == "__uids__" and segments[2].startswith("wiki-"):
+ wikiName = segments[2][5:]
+ if wikiName:
+ request.authzUser = davxml.Principal(
+ davxml.HRef.fromString("/principals/wikis/%s/" % (wikiName,))
+ )
+
child = (yield super(RootResource, self).locateChild(request, segments))
returnValue(child)
Modified: CalendarServer/branches/users/sagen/wikiauth-4053/twistedcaldav/directory/principal.py
===================================================================
--- CalendarServer/branches/users/sagen/wikiauth-4053/twistedcaldav/directory/principal.py 2009-04-22 00:18:26 UTC (rev 4054)
+++ CalendarServer/branches/users/sagen/wikiauth-4053/twistedcaldav/directory/principal.py 2009-04-22 00:20:05 UTC (rev 4055)
@@ -81,7 +81,7 @@
wikiACL = (yield getWikiACL(self, request))
if wikiACL is not None:
# ACL depends on wiki server...
- log.info("Wiki ACL: %s" % (wikiACL,))
+ log.info("Wiki ACL: %s" % (wikiACL.toxml(),))
returnValue(wikiACL)
else:
# ...otherwise permissions are fixed, and are not subject to
Modified: CalendarServer/branches/users/sagen/wikiauth-4053/twistedcaldav/directory/wiki.py
===================================================================
--- CalendarServer/branches/users/sagen/wikiauth-4053/twistedcaldav/directory/wiki.py 2009-04-22 00:18:26 UTC (rev 4054)
+++ CalendarServer/branches/users/sagen/wikiauth-4053/twistedcaldav/directory/wiki.py 2009-04-22 00:20:05 UTC (rev 4055)
@@ -130,8 +130,9 @@
@inlineCallbacks
def getWikiACL(resource, request):
- from twistedcaldav.directory.principal import DirectoryCalendarPrincipalResource
+ from twistedcaldav.directory.principal import DirectoryPrincipalResource
+
if (not hasattr(resource, "record") or
resource.record.recordType != WikiDirectoryService.recordType_wikis):
returnValue(None)
@@ -144,9 +145,9 @@
wikiID = resource.record.shortNames[0]
try:
- url = str(request.authzUser.children[0])
+ url = str(request.authnUser.children[0])
principal = (yield request.locateResource(url))
- if isinstance(principal, DirectoryCalendarPrincipalResource):
+ if isinstance(principal, DirectoryPrincipalResource):
userID = principal.record.guid
except:
# TODO: better error handling
@@ -166,11 +167,20 @@
if access == "read":
request.wikiACL = davxml.ACL(
davxml.ACE(
- request.authnUser,
+ request.authzUser,
davxml.Grant(
davxml.Privilege(davxml.Read()),
),
TwistedACLInheritable(),
+ ),
+ davxml.ACE(
+ davxml.Principal(
+ davxml.HRef.fromString("/principals/wikis/%s/" % (wikiID,))
+ ),
+ davxml.Grant(
+ davxml.Privilege(davxml.Read()),
+ ),
+ TwistedACLInheritable(),
)
)
returnValue(request.wikiACL)
@@ -178,18 +188,36 @@
elif access in ("write", "admin"):
request.wikiACL = davxml.ACL(
davxml.ACE(
- request.authnUser,
+ request.authzUser,
davxml.Grant(
davxml.Privilege(davxml.Read()),
),
TwistedACLInheritable(),
),
davxml.ACE(
- request.authnUser,
+ request.authzUser,
davxml.Grant(
davxml.Privilege(davxml.Write()),
),
TwistedACLInheritable(),
+ ),
+ davxml.ACE(
+ davxml.Principal(
+ davxml.HRef.fromString("/principals/wikis/%s/" % (wikiID,))
+ ),
+ davxml.Grant(
+ davxml.Privilege(davxml.Read()),
+ ),
+ TwistedACLInheritable(),
+ ),
+ davxml.ACE(
+ davxml.Principal(
+ davxml.HRef.fromString("/principals/wikis/%s/" % (wikiID,))
+ ),
+ davxml.Grant(
+ davxml.Privilege(davxml.Write()),
+ ),
+ TwistedACLInheritable(),
)
)
returnValue(request.wikiACL)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20090421/5558251f/attachment-0001.html>
More information about the calendarserver-changes
mailing list