[CalendarServer-changes] [6688] CalendarServer/trunk/calendarserver
source_changes at macosforge.org
source_changes at macosforge.org
Mon Dec 13 11:25:26 PST 2010
Revision: 6688
http://trac.macosforge.org/projects/calendarserver/changeset/6688
Author: sagen at apple.com
Date: 2010-12-13 11:25:20 -0800 (Mon, 13 Dec 2010)
Log Message:
-----------
Honor addressbook and calendar SACLs where appropriate
Modified Paths:
--------------
CalendarServer/trunk/calendarserver/provision/root.py
CalendarServer/trunk/calendarserver/tap/util.py
Modified: CalendarServer/trunk/calendarserver/provision/root.py
===================================================================
--- CalendarServer/trunk/calendarserver/provision/root.py 2010-12-13 18:55:20 UTC (rev 6687)
+++ CalendarServer/trunk/calendarserver/provision/root.py 2010-12-13 19:25:20 UTC (rev 6688)
@@ -44,8 +44,18 @@
"""
useSacls = False
- saclService = "calendar"
+ # Mapping of top-level resource paths to SACLs. If a request path
+ # starts with any of these, then the list of SACLs are checked. If the
+ # request path does not start with any of these, then no SACLs are checked.
+ saclMap = {
+ "addressbooks" : ("addressbook",),
+ "calendars" : ("calendar",),
+ "directory" : ("addressbook",),
+ "principals" : ("addressbook", "calendar"),
+ "webcal" : ("calendar",),
+ }
+
def __init__(self, path, *args, **kwargs):
super(RootResource, self).__init__(path, *args, **kwargs)
@@ -89,6 +99,11 @@
Check SACLs against the current request
"""
+ topLevel = request.path.strip("/").split("/")[0]
+ saclServices = self.saclMap.get(topLevel, None)
+ if not saclServices:
+ returnValue(True)
+
try:
authnUser, authzUser = yield self.authenticate(request)
except Exception:
@@ -98,19 +113,24 @@
))
raise HTTPError(response)
+
# SACLs are enabled in the plist, but there may not actually
# be a SACL group assigned to this service. Let's see if
# unauthenticated users are allowed by calling CheckSACL
# with an empty string.
if authzUser == davxml.Principal(davxml.Unauthenticated()):
- if RootResource.CheckSACL("", self.saclService) != 0:
- response = (yield UnauthorizedResponse.makeResponse(
- request.credentialFactories,
- request.remoteAddr
- ))
- raise HTTPError(response)
- else:
- returnValue(True)
+ for saclService in saclServices:
+ if RootResource.CheckSACL("", saclService) == 0:
+ # No group actually exists for this SACL, so allow
+ # unauthenticated access
+ returnValue(True)
+ # There is a SACL group for at least one of the SACLs, so no
+ # unauthenticated access
+ response = (yield UnauthorizedResponse.makeResponse(
+ request.credentialFactories,
+ request.remoteAddr
+ ))
+ raise HTTPError(response)
# Cache the authentication details
request.authnUser = authnUser
@@ -131,15 +151,22 @@
delattr(request, "checkingSACL")
username = principal.record.shortNames[0]
- if RootResource.CheckSACL(username, self.saclService) != 0:
- log.info("User %r is not enabled with the %r SACL" % (username, self.saclService,))
- raise HTTPError(responsecode.FORBIDDEN)
+ access = False
+ for saclService in saclServices:
+ if RootResource.CheckSACL(username, saclService) == 0:
+ # Access is allowed
+ access = True
+ break
- # Mark SACLs as having been checked so we can avoid doing it multiple times
request.checkedSACL = True
+ if access:
+ # Mark SACLs as having been checked so we can avoid doing it
+ # multiple times
+ returnValue(True)
- returnValue(True)
+ log.info("User %r is not enabled with the %r SACL" % (username, saclServices,))
+ raise HTTPError(responsecode.FORBIDDEN)
@inlineCallbacks
def locateChild(self, request, segments):
Modified: CalendarServer/trunk/calendarserver/tap/util.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/util.py 2010-12-13 18:55:20 UTC (rev 6687)
+++ CalendarServer/trunk/calendarserver/tap/util.py 2010-12-13 19:25:20 UTC (rev 6688)
@@ -434,11 +434,7 @@
principalCollections=(principalCollection,),
)
- if config.EnableCardDAV and not config.EnableCalDAV:
- # TODO need a better way to do this when both services are enabled
- root.saclService = "addressbook"
-
root.putChild("principals", principalCollection)
if config.EnableCalDAV:
root.putChild("calendars", calendarCollection)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20101213/3b6b25cb/attachment.html>
More information about the calendarserver-changes
mailing list