[CalendarServer-changes] [10592] CalendarServer/branches/users/glyph/unshare-when-access-revoked
source_changes at macosforge.org
source_changes at macosforge.org
Mon Jan 28 19:29:20 PST 2013
Revision: 10592
http://trac.calendarserver.org//changeset/10592
Author: glyph at apple.com
Date: 2013-01-28 19:29:20 -0800 (Mon, 28 Jan 2013)
Log Message:
-----------
Factor out access-control check into its own method; document it.
Modified Paths:
--------------
CalendarServer/branches/users/glyph/unshare-when-access-revoked/twistedcaldav/sharing.py
Property Changed:
----------------
CalendarServer/branches/users/glyph/unshare-when-access-revoked/
Modified: CalendarServer/branches/users/glyph/unshare-when-access-revoked/twistedcaldav/sharing.py
===================================================================
--- CalendarServer/branches/users/glyph/unshare-when-access-revoked/twistedcaldav/sharing.py 2013-01-29 03:29:19 UTC (rev 10591)
+++ CalendarServer/branches/users/glyph/unshare-when-access-revoked/twistedcaldav/sharing.py 2013-01-29 03:29:20 UTC (rev 10592)
@@ -312,6 +312,52 @@
@inlineCallbacks
+ def _checkAccessControl(self, externalAccessMethod=None):
+ """
+ Check the shared access mode of this resource, potentially consulting
+ an external access method if necessary.
+
+ @param externalAccessMethod: see C{wikiAccessMethod} in
+ L{SharedCollectionMixin.shareeAccessControlList}
+
+ @return: a L{Deferred} firing a L{bytes} or L{None}, with one of the
+ potential values: C{"own"}, which means that the home is the owner
+ of the collection and it is not shared; C{"read-only"}, meaning
+ that the home that this collection is bound into has only read
+ access to this collection; C{"read-write"}, which means that the
+ home has both read and write access; C{"original"}, which means
+ that it should inherit the ACLs of the owner's collection, whatever
+ those happen to be, or C{None}, which means that the external
+ access control mechanism has dictate the home should no longer have
+ any access at all.
+ """
+ if externalAccessMethod is None:
+ externalAccessMethod = getWikiAccess
+ if self._share.direct():
+ ownerUID = self._share.ownerUID()
+ owner = self.principalForUID(ownerUID)
+ if owner.record.recordType == WikiDirectoryService.recordType_wikis:
+ # Access level comes from what the wiki has granted to the
+ # sharee
+ sharee = self.principalForUID(self._share.shareeUID())
+ userID = sharee.record.guid
+ wikiID = owner.record.shortNames[0]
+ access = (yield externalAccessMethod(userID, wikiID))
+ if access == "read":
+ returnValue("read-only")
+ elif access in ("write", "admin"):
+ returnValue("read-write")
+ else:
+ returnValue(None)
+ else:
+ returnValue("original")
+ else:
+ # Invited shares use access mode from the invite
+ # Get the access for self
+ returnValue(Invitation(self._newStoreObject).access())
+
+
+ @inlineCallbacks
def shareeAccessControlList(self, request, *args, **kwargs):
"""
Return WebDAV ACLs appropriate for the current user accessing the
@@ -345,32 +391,15 @@
sharee = self.principalForUID(self._share.shareeUID())
+ access = yield self._checkAccessControl(wikiAccessMethod)
+
+ if access == "original":
+ original = (yield request.locateResource(self._share.url()))
+ result = (yield original.accessControlList(request, *args,
+ **kwargs))
+ returnValue(result)
+
# Direct shares use underlying privileges of shared collection
- if self._share.direct():
- ownerUID = self._share.ownerUID()
- owner = self.principalForUID(ownerUID)
- if owner.record.recordType == WikiDirectoryService.recordType_wikis:
- # Access level comes from what the wiki has granted to the
- # sharee
- userID = sharee.record.guid
- wikiID = owner.record.shortNames[0]
- access = (yield wikiAccessMethod(userID, wikiID))
- if access == "read":
- access = "read-only"
- elif access in ("write", "admin"):
- access = "read-write"
- else:
- access = None
- else:
- original = (yield request.locateResource(self._share.url()))
- result = (yield original.accessControlList(request, *args,
- **kwargs))
- returnValue(result)
- else:
- # Invited shares use access mode from the invite
- # Get the access for self
- access = Invitation(self._newStoreObject).access()
-
userprivs = [
]
if access in ("read-only", "read-write",):
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20130128/0cd46fc9/attachment-0001.html>
More information about the calendarserver-changes
mailing list