[CalendarServer-changes] [4798] CalendarServer/branches/users/cdaboo/deployment-partition-4722/ twistedcaldav/scheduling
source_changes at macosforge.org
source_changes at macosforge.org
Sat Nov 21 13:07:24 PST 2009
Revision: 4798
http://trac.macosforge.org/projects/calendarserver/changeset/4798
Author: cdaboo at apple.com
Date: 2009-11-21 13:07:21 -0800 (Sat, 21 Nov 2009)
Log Message:
-----------
Make sure iSchedule Originator is set properly.
Modified Paths:
--------------
CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/ischedule.py
CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/scheduler.py
Modified: CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/ischedule.py
===================================================================
--- CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/ischedule.py 2009-11-21 00:01:19 UTC (rev 4797)
+++ CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/ischedule.py 2009-11-21 21:07:21 UTC (rev 4798)
@@ -171,7 +171,9 @@
def _generateHeaders(self):
self.headers = Headers()
self.headers.setHeader('Host', utf8String(self.server.host + ":%s" % (self.server.port,)))
- self.headers.addRawHeader('Originator', utf8String(self.scheduler.originator.cuaddr))
+
+ # The Originator must be the ORGANIZER (for a request) or ATTENDEE (for a reply)
+ self.headers.addRawHeader('Originator', utf8String(self.scheduler.organizer.cuaddr if self.scheduler.isiTIPRequest else self.scheduler.attendee))
self._doAuthentication()
for recipient in self.recipients:
self.headers.addRawHeader('Recipient', utf8String(recipient.cuaddr))
Modified: CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/scheduler.py
===================================================================
--- CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/scheduler.py 2009-11-21 00:01:19 UTC (rev 4797)
+++ CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/scheduler.py 2009-11-21 21:07:21 UTC (rev 4798)
@@ -22,13 +22,12 @@
from twisted.web2 import responsecode
from twisted.web2.dav import davxml
from twisted.web2.dav.http import errorForFailure, messageForFailure, statusForFailure
-from twisted.web2.http import HTTPError, Response, StatusResponse
+from twisted.web2.http import HTTPError, Response
from twisted.web2.http_headers import MimeType
from twistedcaldav import caldavxml
from twistedcaldav.accounting import accountingEnabled, emitAccounting
from twistedcaldav.caldavxml import caldav_namespace, TimeRange
-from twistedcaldav.config import config
from twistedcaldav.customxml import calendarserver_namespace
from twistedcaldav.extensions import ErrorResponse
from twistedcaldav.ical import Component
@@ -71,6 +70,8 @@
self.calendar = None
self.calendardata = None
self.organizer = None
+ self.attendee = None
+ self.isiTIPRequest = None
self.timeRange = None
self.excludeUID = None
self.fakeTheResult = False
@@ -263,7 +264,28 @@
if self.calendar.hasProperty(Component.ACCESS_PROPERTY):
log.err("X-CALENDARSERVER-ACCESS not allowed in a calendar component %s request: %s" % (self.method, self.calendardata,))
raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (calendarserver_namespace, "no-access-restrictions")))
-
+
+ # Determine iTIP method mode
+ if self.calendar.propertyValue("METHOD") in ("PUBLISH", "REQUEST", "ADD", "CANCEL", "DECLINECOUNTER"):
+ self.isiTIPRequest = True
+
+ elif self.calendar.propertyValue("METHOD") in ("REPLY", "COUNTER", "REFRESH"):
+ self.isiTIPRequest = False
+
+ # Verify that there is a single ATTENDEE property
+ attendees = self.calendar.getAttendees()
+
+ # Must have only one
+ if len(attendees) != 1:
+ log.err("Wrong number of ATTENDEEs in calendar data: %s" % (self.calendardata,))
+ raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "attendee-allowed")))
+ self.attendee = attendees[0]
+
+ else:
+ msg = "Unknown iTIP METHOD: %s" % (self.calendar.propertyValue("METHOD"),)
+ log.err(msg)
+ raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "valid-calendar-data"), description=msg))
+
def checkForFreeBusy(self):
if not hasattr(self, "isfreebusy"):
if (self.calendar.propertyValue("METHOD") == "REQUEST") and (self.calendar.mainType() == "VFREEBUSY"):
@@ -516,17 +538,8 @@
Only local attendees are allowed for message originating from this server.
"""
- # Verify that there is a single ATTENDEE property
- attendees = self.calendar.getAttendees()
-
- # Must have only one
- if len(attendees) != 1:
- log.err("Wrong number of ATTENDEEs in calendar data: %s" % (self.calendardata,))
- raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "attendee-allowed")))
- attendee = attendees[0]
-
# Attendee's Outbox MUST be the request URI
- attendeePrincipal = self.resource.principalForCalendarUserAddress(attendee)
+ attendeePrincipal = self.resource.principalForCalendarUserAddress(self.attendee)
if attendeePrincipal:
if self.doingPOST and attendeePrincipal.scheduleOutboxURL() != self.request.uri:
log.err("ATTENDEE in calendar data does not match owner of Outbox: %s" % (self.calendardata,))
@@ -541,16 +554,12 @@
"""
# Prevent spoofing of ORGANIZER with specific METHODs when local
- if self.calendar.propertyValue("METHOD") in ("PUBLISH", "REQUEST", "ADD", "CANCEL", "DECLINECOUNTER"):
+ if self.isiTIPRequest:
self.checkOrganizerAsOriginator()
# Prevent spoofing when doing reply-like METHODs
- elif self.calendar.propertyValue("METHOD") in ("REPLY", "COUNTER", "REFRESH"):
- self.checkAttendeeAsOriginator()
-
else:
- log.err("Unknown iTIP METHOD for security checks: %s" % (self.calendar.propertyValue("METHOD"),))
- raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "valid-calendar-data"), description="Unknown iTIP METHOD for security checks"))
+ self.checkAttendeeAsOriginator()
def finalChecks(self):
"""
@@ -750,17 +759,8 @@
Only local attendees are allowed for message originating from this server.
"""
- # Verify that there is a single ATTENDEE property
- attendees = self.calendar.getAttendees()
-
- # Must have only one
- if len(attendees) != 1:
- log.err("Wrong number of ATTENDEEs in calendar data: %s" % (self.calendardata,))
- raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "attendee-allowed")))
- attendee = attendees[0]
-
# Attendee cannot be local.
- attendeePrincipal = self.resource.principalForCalendarUserAddress(attendee)
+ attendeePrincipal = self.resource.principalForCalendarUserAddress(self.attendee)
if attendeePrincipal:
if attendeePrincipal.locallyHosted():
log.err("Invalid ATTENDEE in calendar data: %s" % (self.calendardata,))
@@ -768,7 +768,7 @@
else:
self._validPartitionServer(attendeePrincipal)
else:
- localUser = (yield addressmapping.mapper.isCalendarUserInMyDomain(attendee))
+ localUser = (yield addressmapping.mapper.isCalendarUserInMyDomain(self.attendee))
if localUser:
log.err("Unknown ATTENDEE in calendar data: %s" % (self.calendardata,))
raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "attendee-allowed")))
@@ -782,19 +782,13 @@
"""
# Prevent spoofing of ORGANIZER with specific METHODs when local
- if self.calendar.propertyValue("METHOD") in ("PUBLISH", "REQUEST", "ADD", "CANCEL", "DECLINECOUNTER"):
+ if self.isiTIPRequest:
yield self.checkOrganizerAsOriginator()
# Prevent spoofing when doing reply-like METHODs
- elif self.calendar.propertyValue("METHOD") in ("REPLY", "COUNTER", "REFRESH"):
- yield self.checkAttendeeAsOriginator()
-
else:
- msg = "Unknown iTIP METHOD for security checks: %s" % (self.calendar.propertyValue("METHOD"),)
- log.err(msg)
- raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "valid-calendar-data"), description=msg))
+ yield self.checkAttendeeAsOriginator()
-
class ScheduleResponseResponse (Response):
"""
ScheduleResponse L{Response} object.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20091121/a64058a3/attachment.html>
More information about the calendarserver-changes
mailing list