[CalendarServer-changes] [11195] CalendarServer/trunk/txdav/caldav/datastore/scheduling/implicit.py

source_changes at macosforge.org source_changes at macosforge.org
Wed May 15 19:07:34 PDT 2013 

Revision: 11195
          http://trac.calendarserver.org//changeset/11195
Author:   cdaboo at apple.com
Date:     2013-05-15 19:07:34 -0700 (Wed, 15 May 2013)
Log Message:
-----------
Ensure attendee cannot remove their own ATTENDEE property on a locally scheduled event.

Modified Paths:
--------------
    CalendarServer/trunk/txdav/caldav/datastore/scheduling/implicit.py

Modified: CalendarServer/trunk/txdav/caldav/datastore/scheduling/implicit.py
===================================================================
--- CalendarServer/trunk/txdav/caldav/datastore/scheduling/implicit.py	2013-05-16 02:01:27 UTC (rev 11194)
+++ CalendarServer/trunk/txdav/caldav/datastore/scheduling/implicit.py	2013-05-16 02:07:34 UTC (rev 11195)
@@ -1156,10 +1156,6 @@
             log.debug("Implicit - missing attendee is removing UID without server scheduling: '%s'" % (self.uid,))
 
         else:
-            # We will allow the attendee to do anything in this case, but we will mark the organizer
-            # with an schedule-status error and schedule-agent none
-            log.debug("Missing attendee is allowed to update UID: '%s' with invalid organizer '%s'" % (self.uid, self.organizer))
-
             # Make sure ORGANIZER is not changed if originally SCHEDULE-AGENT=SERVER
             if self.resource is not None:
                 self.oldcalendar = (yield self.resource.componentForUser())
@@ -1173,6 +1169,19 @@
                         "Cannot change organizer",
                     ))
 
+            # Never allow a missing attendee with a locally hosted organizer
+            if isinstance(self.organizerAddress, LocalCalendarUser):
+                log.error("Cannot remove ATTENDEE: UID:%s" % (self.uid,))
+                raise HTTPError(ErrorResponse(
+                    responsecode.FORBIDDEN,
+                    (caldav_namespace, "valid-attendee-change"),
+                    "Cannot remove attendee",
+                ))
+
+            # We will allow the attendee to do anything in this case, but we will mark the organizer
+            # with an schedule-status error and schedule-agent none
+            log.debug("Missing attendee is allowed to update UID: '%s' with invalid organizer '%s'" % (self.uid, self.organizer))
+
             # Check SCHEDULE-AGENT and coerce SERVER to NONE
             if self.calendar.getOrganizerScheduleAgent():
                 self.calendar.setParameterToValueForPropertyWithValue("SCHEDULE-AGENT", "NONE", "ORGANIZER", None)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20130515/1e8c5aee/attachment.html>

More information about the calendarserver-changes mailing list