[CalendarServer-changes] [4061] CalendarServer/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Wed Apr 22 12:05:41 PDT 2009
Revision: 4061
http://trac.macosforge.org/projects/calendarserver/changeset/4061
Author: sagen at apple.com
Date: 2009-04-22 12:05:40 -0700 (Wed, 22 Apr 2009)
Log Message:
-----------
Allows non-calendar-enabled users to access/modify group calendars the wiki has given them permission to.
Modified Paths:
--------------
CalendarServer/trunk/calendarserver/provision/root.py
CalendarServer/trunk/twistedcaldav/directory/principal.py
CalendarServer/trunk/twistedcaldav/directory/wiki.py
Modified: CalendarServer/trunk/calendarserver/provision/root.py
===================================================================
--- CalendarServer/trunk/calendarserver/provision/root.py 2009-04-22 16:42:14 UTC (rev 4060)
+++ CalendarServer/trunk/calendarserver/provision/root.py 2009-04-22 19:05:40 UTC (rev 4061)
@@ -37,7 +37,7 @@
from twistedcaldav.cache import MemcacheResponseCache, MemcacheChangeNotifier
from twistedcaldav.cache import DisabledCache
from twistedcaldav.static import CalendarHomeFile
-from twistedcaldav.directory.principal import DirectoryPrincipalResource
+from twistedcaldav.directory.principal import DirectoryPrincipalResource, DirectoryCalendarPrincipalResource
log = Logger()
@@ -186,8 +186,37 @@
responsecode.FORBIDDEN,
"The username (%s) corresponding to your sessionID was not found by calendar server." % (username,)
))
- request.authnUser = request.authzUser = davxml.Principal(
- davxml.HRef.fromString("/principals/__uids__/%s/" % (record.guid,)))
+ for collection in self.principalCollections():
+ principal = collection.principalForRecord(record)
+ if principal is not None:
+ break
+ else:
+ # Can't find principal
+ raise HTTPError(StatusResponse(
+ responsecode.FORBIDDEN,
+ "The principal corresponding to your username (%s) was not found by calendar server." % (username,)
+ ))
+
+ request.authzUser = request.authnUser = davxml.Principal(
+ davxml.HRef.fromString("/principals/__uids__/%s/" % (record.guid,))
+ )
+
+ if not isinstance(principal, DirectoryCalendarPrincipalResource):
+ # Not enabled for calendaring, so use the wiki principal as authzUser if the resource is within
+ # a wiki. Examining the request path to determine this:
+ path = request.prepath
+ if len(path) > 2 and path[0] in ("principals", "calendars"):
+ wikiName = None
+ if path[1] == "wikis":
+ wikiName = path[2]
+ elif path[1] == "__uids__" and path[2].startswith("wiki-"):
+ wikiName = path[2][5:]
+ if wikiName:
+ log.debug("Using %s wiki as authzUser instead of %s" % (wikiName, username))
+ request.authzUser = davxml.Principal(
+ davxml.HRef.fromString("/principals/wikis/%s/" % (wikiName,))
+ )
+
child = (yield super(RootResource, self).locateChild(request, segments))
returnValue(child)
Modified: CalendarServer/trunk/twistedcaldav/directory/principal.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/directory/principal.py 2009-04-22 16:42:14 UTC (rev 4060)
+++ CalendarServer/trunk/twistedcaldav/directory/principal.py 2009-04-22 19:05:40 UTC (rev 4061)
@@ -81,7 +81,7 @@
wikiACL = (yield getWikiACL(self, request))
if wikiACL is not None:
# ACL depends on wiki server...
- log.info("Wiki ACL: %s" % (wikiACL,))
+ log.debug("Wiki ACL: %s" % (wikiACL.toxml(),))
returnValue(wikiACL)
else:
# ...otherwise permissions are fixed, and are not subject to
Modified: CalendarServer/trunk/twistedcaldav/directory/wiki.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/directory/wiki.py 2009-04-22 16:42:14 UTC (rev 4060)
+++ CalendarServer/trunk/twistedcaldav/directory/wiki.py 2009-04-22 19:05:40 UTC (rev 4061)
@@ -129,9 +129,19 @@
@inlineCallbacks
def getWikiACL(resource, request):
+ """
+ Ask the wiki server we're paired with what level of access the authnUser has.
- from twistedcaldav.directory.principal import DirectoryCalendarPrincipalResource
+ Returns an ACL.
+ Wiki authentication is a bit tricky because the end-user accessing a group
+ calendar may not actually be enabled for calendaring. Therefore in that
+ situation, the authzUser will have been replaced with the wiki principal
+ in locateChild( ), so that any changes the user makes will have the wiki
+ as the originator. The authnUser will always be the end-user.
+ """
+ from twistedcaldav.directory.principal import DirectoryPrincipalResource
+
if (not hasattr(resource, "record") or
resource.record.recordType != WikiDirectoryService.recordType_wikis):
returnValue(None)
@@ -144,9 +154,9 @@
wikiID = resource.record.shortNames[0]
try:
- url = str(request.authzUser.children[0])
+ url = str(request.authnUser.children[0])
principal = (yield request.locateResource(url))
- if isinstance(principal, DirectoryCalendarPrincipalResource):
+ if isinstance(principal, DirectoryPrincipalResource):
userID = principal.record.guid
except:
# TODO: better error handling
@@ -163,6 +173,8 @@
log.info("Wiki ACL result: user [%s], wiki [%s], access [%s]" % (userID,
wikiID, access))
+ # The ACL we returns has ACEs for the end-user and the wiki principal
+ # in case authzUser is the wiki principal.
if access == "read":
request.wikiACL = davxml.ACL(
davxml.ACE(
@@ -171,6 +183,15 @@
davxml.Privilege(davxml.Read()),
),
TwistedACLInheritable(),
+ ),
+ davxml.ACE(
+ davxml.Principal(
+ davxml.HRef.fromString("/principals/wikis/%s/" % (wikiID,))
+ ),
+ davxml.Grant(
+ davxml.Privilege(davxml.Read()),
+ ),
+ TwistedACLInheritable(),
)
)
returnValue(request.wikiACL)
@@ -190,6 +211,24 @@
davxml.Privilege(davxml.Write()),
),
TwistedACLInheritable(),
+ ),
+ davxml.ACE(
+ davxml.Principal(
+ davxml.HRef.fromString("/principals/wikis/%s/" % (wikiID,))
+ ),
+ davxml.Grant(
+ davxml.Privilege(davxml.Read()),
+ ),
+ TwistedACLInheritable(),
+ ),
+ davxml.ACE(
+ davxml.Principal(
+ davxml.HRef.fromString("/principals/wikis/%s/" % (wikiID,))
+ ),
+ davxml.Grant(
+ davxml.Privilege(davxml.Write()),
+ ),
+ TwistedACLInheritable(),
)
)
returnValue(request.wikiACL)
@@ -211,6 +250,7 @@
)
)
+
except Fault, fault:
log.info("Wiki ACL result: user [%s], wiki [%s], FAULT [%s]" % (userID,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20090422/55d17f15/attachment-0001.html>
More information about the calendarserver-changes
mailing list