[CalendarServer-changes] [14841] CalendarServer/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Thu May 28 08:32:34 PDT 2015
Revision: 14841
http://trac.calendarserver.org//changeset/14841
Author: cdaboo at apple.com
Date: 2015-05-28 08:32:34 -0700 (Thu, 28 May 2015)
Log Message:
-----------
Make sure POST/trash operations require authorization.
Modified Paths:
--------------
CalendarServer/trunk/requirements-dev.txt
CalendarServer/trunk/twistedcaldav/resource.py
CalendarServer/trunk/twistedcaldav/storebridge.py
Modified: CalendarServer/trunk/requirements-dev.txt
===================================================================
--- CalendarServer/trunk/requirements-dev.txt 2015-05-28 15:28:02 UTC (rev 14840)
+++ CalendarServer/trunk/requirements-dev.txt 2015-05-28 15:32:34 UTC (rev 14841)
@@ -8,4 +8,4 @@
q
tl.eggdeps
--editable svn+http://svn.calendarserver.org/repository/calendarserver/CalDAVClientLibrary/trunk@14811#egg=CalDAVClientLibrary
---editable svn+http://svn.calendarserver.org/repository/calendarserver/CalDAVTester/trunk@14838#egg=CalDAVTester
+--editable svn+http://svn.calendarserver.org/repository/calendarserver/CalDAVTester/trunk@14840#egg=CalDAVTester
Modified: CalendarServer/trunk/twistedcaldav/resource.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/resource.py 2015-05-28 15:28:02 UTC (rev 14840)
+++ CalendarServer/trunk/twistedcaldav/resource.py 2015-05-28 15:32:34 UTC (rev 14841)
@@ -102,6 +102,35 @@
shareAcceptStatesByXML["DECLINED"] = customxml.InviteStatusDeclined()
shareAcceptStatesByXML["DELETED"] = customxml.InviteStatusDeleted()
+def requiresPermissions(*permissions, **kw):
+ """
+ A decorator to wrap http_ methods in, to indicate that they should not be
+ run until the current user principal has been authorized for the given
+ permission set.
+ """
+ fromParent = kw.get('fromParent')
+ # FIXME: direct unit tests
+ def wrap(thunk):
+ def authAndContinue(self, request, *args, **kwargs):
+ if permissions:
+ d = self.authorize(request, permissions)
+ else:
+ d = succeed(None)
+ if fromParent:
+ d.addCallback(
+ lambda whatever:
+ request.locateResource(parentForURL(request.uri))
+ ).addCallback(
+ lambda parent:
+ parent.authorize(request, fromParent)
+ )
+ d.addCallback(lambda whatever: thunk(self, request, *args, **kwargs))
+ return d
+ return authAndContinue
+ return wrap
+
+
+
class CalDAVComplianceMixIn(object):
def davComplianceClasses(self):
return (
@@ -2733,6 +2762,7 @@
returnValue((changed, deleted, notallowed))
+ @requiresPermissions(element.WriteContent())
@inlineCallbacks
def POST_handler_action(self, request, action):
"""
Modified: CalendarServer/trunk/twistedcaldav/storebridge.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/storebridge.py 2015-05-28 15:28:02 UTC (rev 14840)
+++ CalendarServer/trunk/twistedcaldav/storebridge.py 2015-05-28 15:32:34 UTC (rev 14841)
@@ -43,7 +43,8 @@
)
from twistedcaldav.memcachelock import MemcacheLockTimeoutError
from twistedcaldav.notifications import NotificationCollectionResource, NotificationResource
-from twistedcaldav.resource import CalDAVResource, DefaultAlarmPropertyMixin
+from twistedcaldav.resource import CalDAVResource, DefaultAlarmPropertyMixin, \
+ requiresPermissions
from twistedcaldav.scheduling_store.caldav.resource import ScheduleInboxResource
from twistedcaldav.sharing import (
invitationBindStatusToXMLMap, invitationBindModeToXMLMap
@@ -169,35 +170,6 @@
-def requiresPermissions(*permissions, **kw):
- """
- A decorator to wrap http_ methods in, to indicate that they should not be
- run until the current user principal has been authorized for the given
- permission set.
- """
- fromParent = kw.get('fromParent')
- # FIXME: direct unit tests
- def wrap(thunk):
- def authAndContinue(self, request, *args, **kwargs):
- if permissions:
- d = self.authorize(request, permissions)
- else:
- d = succeed(None)
- if fromParent:
- d.addCallback(
- lambda whatever:
- request.locateResource(parentForURL(request.uri))
- ).addCallback(
- lambda parent:
- parent.authorize(request, fromParent)
- )
- d.addCallback(lambda whatever: thunk(self, request, *args, **kwargs))
- return d
- return authAndContinue
- return wrap
-
-
-
class _NewStoreFileMetaDataHelper(object):
def exists(self):
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20150528/9af8f950/attachment.html>
More information about the calendarserver-changes
mailing list