[CalendarServer-changes] [10592] CalendarServer/branches/users/glyph/unshare-when-access-revoked

Mon Jan 28 19:29:20 PST 2013

Revision: 10592
          http://trac.calendarserver.org//changeset/10592
Author:   glyph at apple.com
Date:     2013-01-28 19:29:20 -0800 (Mon, 28 Jan 2013)
Log Message:
-----------
Factor out access-control check into its own method; document it.

Modified Paths:
--------------
    CalendarServer/branches/users/glyph/unshare-when-access-revoked/twistedcaldav/sharing.py

Property Changed:
----------------
    CalendarServer/branches/users/glyph/unshare-when-access-revoked/

Modified: CalendarServer/branches/users/glyph/unshare-when-access-revoked/twistedcaldav/sharing.py
===================================================================

--- CalendarServer/branches/users/glyph/unshare-when-access-revoked/twistedcaldav/sharing.py	2013-01-29 03:29:19 UTC (rev 10591)
+++ CalendarServer/branches/users/glyph/unshare-when-access-revoked/twistedcaldav/sharing.py	2013-01-29 03:29:20 UTC (rev 10592)
@@ -312,6 +312,52 @@
 
 
     @inlineCallbacks
+    def _checkAccessControl(self, externalAccessMethod=None):
+        """
+        Check the shared access mode of this resource, potentially consulting
+        an external access method if necessary.
+
+        @param externalAccessMethod: see C{wikiAccessMethod} in
+            L{SharedCollectionMixin.shareeAccessControlList}
+
+        @return: a L{Deferred} firing a L{bytes} or L{None}, with one of the
+            potential values: C{"own"}, which means that the home is the owner
+            of the collection and it is not shared; C{"read-only"}, meaning
+            that the home that this collection is bound into has only read
+            access to this collection; C{"read-write"}, which means that the
+            home has both read and write access; C{"original"}, which means
+            that it should inherit the ACLs of the owner's collection, whatever
+            those happen to be, or C{None}, which means that the external
+            access control mechanism has dictate the home should no longer have
+            any access at all.
+        """
+        if externalAccessMethod is None:
+            externalAccessMethod = getWikiAccess
+        if self._share.direct():
+            ownerUID = self._share.ownerUID()
+            owner = self.principalForUID(ownerUID)
+            if owner.record.recordType == WikiDirectoryService.recordType_wikis:
+                # Access level comes from what the wiki has granted to the
+                # sharee
+                sharee = self.principalForUID(self._share.shareeUID())
+                userID = sharee.record.guid
+                wikiID = owner.record.shortNames[0]
+                access = (yield externalAccessMethod(userID, wikiID))
+                if access == "read":
+                    returnValue("read-only")
+                elif access in ("write", "admin"):
+                    returnValue("read-write")
+                else:
+                    returnValue(None)
+            else:
+                returnValue("original")
+        else:
+            # Invited shares use access mode from the invite
+            # Get the access for self
+            returnValue(Invitation(self._newStoreObject).access())
+
+
+    @inlineCallbacks
     def shareeAccessControlList(self, request, *args, **kwargs):
         """
         Return WebDAV ACLs appropriate for the current user accessing the
@@ -345,32 +391,15 @@
 
         sharee = self.principalForUID(self._share.shareeUID())
 
+        access = yield self._checkAccessControl(wikiAccessMethod)
+
+        if access == "original":
+            original = (yield request.locateResource(self._share.url()))
+            result = (yield original.accessControlList(request, *args,
+                **kwargs))
+            returnValue(result)
+
         # Direct shares use underlying privileges of shared collection
-        if self._share.direct():
-            ownerUID = self._share.ownerUID()
-            owner = self.principalForUID(ownerUID)
-            if owner.record.recordType == WikiDirectoryService.recordType_wikis:
-                # Access level comes from what the wiki has granted to the
-                # sharee
-                userID = sharee.record.guid
-                wikiID = owner.record.shortNames[0]
-                access = (yield wikiAccessMethod(userID, wikiID))
-                if access == "read":
-                    access = "read-only"
-                elif access in ("write", "admin"):
-                    access = "read-write"
-                else:
-                    access = None
-            else:
-                original = (yield request.locateResource(self._share.url()))
-                result = (yield original.accessControlList(request, *args,
-                    **kwargs))
-                returnValue(result)
-        else:
-            # Invited shares use access mode from the invite
-            # Get the access for self
-            access = Invitation(self._newStoreObject).access()
-
         userprivs = [
         ]
         if access in ("read-only", "read-write",):
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20130128/0cd46fc9/attachment-0001.html>
