[CalendarServer-changes] [4798] CalendarServer/branches/users/cdaboo/deployment-partition-4722/ twistedcaldav/scheduling

source_changes at macosforge.org source_changes at macosforge.org
Sat Nov 21 13:07:24 PST 2009


Revision: 4798
          http://trac.macosforge.org/projects/calendarserver/changeset/4798
Author:   cdaboo at apple.com
Date:     2009-11-21 13:07:21 -0800 (Sat, 21 Nov 2009)
Log Message:
-----------
Make sure iSchedule Originator is set properly.

Modified Paths:
--------------
    CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/ischedule.py
    CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/scheduler.py

Modified: CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/ischedule.py
===================================================================
--- CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/ischedule.py	2009-11-21 00:01:19 UTC (rev 4797)
+++ CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/ischedule.py	2009-11-21 21:07:21 UTC (rev 4798)
@@ -171,7 +171,9 @@
     def _generateHeaders(self):
         self.headers = Headers()
         self.headers.setHeader('Host', utf8String(self.server.host + ":%s" % (self.server.port,)))
-        self.headers.addRawHeader('Originator', utf8String(self.scheduler.originator.cuaddr))
+        
+        # The Originator must be the ORGANIZER (for a request) or ATTENDEE (for a reply)
+        self.headers.addRawHeader('Originator', utf8String(self.scheduler.organizer.cuaddr if self.scheduler.isiTIPRequest else self.scheduler.attendee))
         self._doAuthentication()
         for recipient in self.recipients:
             self.headers.addRawHeader('Recipient', utf8String(recipient.cuaddr))

Modified: CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/scheduler.py
===================================================================
--- CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/scheduler.py	2009-11-21 00:01:19 UTC (rev 4797)
+++ CalendarServer/branches/users/cdaboo/deployment-partition-4722/twistedcaldav/scheduling/scheduler.py	2009-11-21 21:07:21 UTC (rev 4798)
@@ -22,13 +22,12 @@
 from twisted.web2 import responsecode
 from twisted.web2.dav import davxml
 from twisted.web2.dav.http import errorForFailure, messageForFailure, statusForFailure
-from twisted.web2.http import HTTPError, Response, StatusResponse
+from twisted.web2.http import HTTPError, Response
 from twisted.web2.http_headers import MimeType
 
 from twistedcaldav import caldavxml
 from twistedcaldav.accounting import accountingEnabled, emitAccounting
 from twistedcaldav.caldavxml import caldav_namespace, TimeRange
-from twistedcaldav.config import config
 from twistedcaldav.customxml import calendarserver_namespace
 from twistedcaldav.extensions import ErrorResponse
 from twistedcaldav.ical import Component
@@ -71,6 +70,8 @@
         self.calendar = None
         self.calendardata = None
         self.organizer = None
+        self.attendee = None
+        self.isiTIPRequest = None
         self.timeRange = None
         self.excludeUID = None
         self.fakeTheResult = False
@@ -263,7 +264,28 @@
         if self.calendar.hasProperty(Component.ACCESS_PROPERTY):
             log.err("X-CALENDARSERVER-ACCESS not allowed in a calendar component %s request: %s" % (self.method, self.calendardata,))
             raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (calendarserver_namespace, "no-access-restrictions")))
-    
+
+        # Determine iTIP method mode
+        if self.calendar.propertyValue("METHOD") in ("PUBLISH", "REQUEST", "ADD", "CANCEL", "DECLINECOUNTER"):
+            self.isiTIPRequest = True
+
+        elif self.calendar.propertyValue("METHOD") in ("REPLY", "COUNTER", "REFRESH"):
+            self.isiTIPRequest = False
+
+            # Verify that there is a single ATTENDEE property
+            attendees = self.calendar.getAttendees()
+        
+            # Must have only one
+            if len(attendees) != 1:
+                log.err("Wrong number of ATTENDEEs in calendar data: %s" % (self.calendardata,))
+                raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "attendee-allowed")))
+            self.attendee = attendees[0]
+
+        else:
+            msg = "Unknown iTIP METHOD: %s" % (self.calendar.propertyValue("METHOD"),)
+            log.err(msg)
+            raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "valid-calendar-data"), description=msg))
+
     def checkForFreeBusy(self):
         if not hasattr(self, "isfreebusy"):
             if (self.calendar.propertyValue("METHOD") == "REQUEST") and (self.calendar.mainType() == "VFREEBUSY"):
@@ -516,17 +538,8 @@
         Only local attendees are allowed for message originating from this server.
         """
         
-        # Verify that there is a single ATTENDEE property
-        attendees = self.calendar.getAttendees()
-    
-        # Must have only one
-        if len(attendees) != 1:
-            log.err("Wrong number of ATTENDEEs in calendar data: %s" % (self.calendardata,))
-            raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "attendee-allowed")))
-        attendee = attendees[0]
-    
         # Attendee's Outbox MUST be the request URI
-        attendeePrincipal = self.resource.principalForCalendarUserAddress(attendee)
+        attendeePrincipal = self.resource.principalForCalendarUserAddress(self.attendee)
         if attendeePrincipal:
             if self.doingPOST and attendeePrincipal.scheduleOutboxURL() != self.request.uri:
                 log.err("ATTENDEE in calendar data does not match owner of Outbox: %s" % (self.calendardata,))
@@ -541,16 +554,12 @@
         """
     
         # Prevent spoofing of ORGANIZER with specific METHODs when local
-        if self.calendar.propertyValue("METHOD") in ("PUBLISH", "REQUEST", "ADD", "CANCEL", "DECLINECOUNTER"):
+        if self.isiTIPRequest:
             self.checkOrganizerAsOriginator()
     
         # Prevent spoofing when doing reply-like METHODs
-        elif self.calendar.propertyValue("METHOD") in ("REPLY", "COUNTER", "REFRESH"):
-            self.checkAttendeeAsOriginator()
-            
         else:
-            log.err("Unknown iTIP METHOD for security checks: %s" % (self.calendar.propertyValue("METHOD"),))
-            raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "valid-calendar-data"), description="Unknown iTIP METHOD for security checks"))
+            self.checkAttendeeAsOriginator()
 
     def finalChecks(self):
         """
@@ -750,17 +759,8 @@
         Only local attendees are allowed for message originating from this server.
         """
         
-        # Verify that there is a single ATTENDEE property
-        attendees = self.calendar.getAttendees()
-    
-        # Must have only one
-        if len(attendees) != 1:
-            log.err("Wrong number of ATTENDEEs in calendar data: %s" % (self.calendardata,))
-            raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "attendee-allowed")))
-        attendee = attendees[0]
-    
         # Attendee cannot be local.
-        attendeePrincipal = self.resource.principalForCalendarUserAddress(attendee)
+        attendeePrincipal = self.resource.principalForCalendarUserAddress(self.attendee)
         if attendeePrincipal:
             if attendeePrincipal.locallyHosted():
                 log.err("Invalid ATTENDEE in calendar data: %s" % (self.calendardata,))
@@ -768,7 +768,7 @@
             else:
                 self._validPartitionServer(attendeePrincipal)                
         else:
-            localUser = (yield addressmapping.mapper.isCalendarUserInMyDomain(attendee))
+            localUser = (yield addressmapping.mapper.isCalendarUserInMyDomain(self.attendee))
             if localUser:
                 log.err("Unknown ATTENDEE in calendar data: %s" % (self.calendardata,))
                 raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "attendee-allowed")))
@@ -782,19 +782,13 @@
         """
 
         # Prevent spoofing of ORGANIZER with specific METHODs when local
-        if self.calendar.propertyValue("METHOD") in ("PUBLISH", "REQUEST", "ADD", "CANCEL", "DECLINECOUNTER"):
+        if self.isiTIPRequest:
             yield self.checkOrganizerAsOriginator()
     
         # Prevent spoofing when doing reply-like METHODs
-        elif self.calendar.propertyValue("METHOD") in ("REPLY", "COUNTER", "REFRESH"):
-            yield self.checkAttendeeAsOriginator()
-            
         else:
-            msg = "Unknown iTIP METHOD for security checks: %s" % (self.calendar.propertyValue("METHOD"),)
-            log.err(msg)
-            raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "valid-calendar-data"), description=msg))
+            yield self.checkAttendeeAsOriginator()
 
-
 class ScheduleResponseResponse (Response):
     """
     ScheduleResponse L{Response} object.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20091121/a64058a3/attachment.html>


More information about the calendarserver-changes mailing list