[CalendarServer-changes] [14841] CalendarServer/trunk

source_changes at macosforge.org source_changes at macosforge.org
Thu May 28 08:32:34 PDT 2015


Revision: 14841
          http://trac.calendarserver.org//changeset/14841
Author:   cdaboo at apple.com
Date:     2015-05-28 08:32:34 -0700 (Thu, 28 May 2015)
Log Message:
-----------
Make sure POST/trash operations require authorization.

Modified Paths:
--------------
    CalendarServer/trunk/requirements-dev.txt
    CalendarServer/trunk/twistedcaldav/resource.py
    CalendarServer/trunk/twistedcaldav/storebridge.py

Modified: CalendarServer/trunk/requirements-dev.txt
===================================================================
--- CalendarServer/trunk/requirements-dev.txt	2015-05-28 15:28:02 UTC (rev 14840)
+++ CalendarServer/trunk/requirements-dev.txt	2015-05-28 15:32:34 UTC (rev 14841)
@@ -8,4 +8,4 @@
 q
 tl.eggdeps
 --editable svn+http://svn.calendarserver.org/repository/calendarserver/CalDAVClientLibrary/trunk@14811#egg=CalDAVClientLibrary
---editable svn+http://svn.calendarserver.org/repository/calendarserver/CalDAVTester/trunk@14838#egg=CalDAVTester
+--editable svn+http://svn.calendarserver.org/repository/calendarserver/CalDAVTester/trunk@14840#egg=CalDAVTester

Modified: CalendarServer/trunk/twistedcaldav/resource.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/resource.py	2015-05-28 15:28:02 UTC (rev 14840)
+++ CalendarServer/trunk/twistedcaldav/resource.py	2015-05-28 15:32:34 UTC (rev 14841)
@@ -102,6 +102,35 @@
 shareAcceptStatesByXML["DECLINED"] = customxml.InviteStatusDeclined()
 shareAcceptStatesByXML["DELETED"] = customxml.InviteStatusDeleted()
 
+def requiresPermissions(*permissions, **kw):
+    """
+    A decorator to wrap http_ methods in, to indicate that they should not be
+    run until the current user principal has been authorized for the given
+    permission set.
+    """
+    fromParent = kw.get('fromParent')
+    # FIXME: direct unit tests
+    def wrap(thunk):
+        def authAndContinue(self, request, *args, **kwargs):
+            if permissions:
+                d = self.authorize(request, permissions)
+            else:
+                d = succeed(None)
+            if fromParent:
+                d.addCallback(
+                    lambda whatever:
+                        request.locateResource(parentForURL(request.uri))
+                ).addCallback(
+                    lambda parent:
+                        parent.authorize(request, fromParent)
+                )
+            d.addCallback(lambda whatever: thunk(self, request, *args, **kwargs))
+            return d
+        return authAndContinue
+    return wrap
+
+
+
 class CalDAVComplianceMixIn(object):
     def davComplianceClasses(self):
         return (
@@ -2733,6 +2762,7 @@
         returnValue((changed, deleted, notallowed))
 
 
+    @requiresPermissions(element.WriteContent())
     @inlineCallbacks
     def POST_handler_action(self, request, action):
         """

Modified: CalendarServer/trunk/twistedcaldav/storebridge.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/storebridge.py	2015-05-28 15:28:02 UTC (rev 14840)
+++ CalendarServer/trunk/twistedcaldav/storebridge.py	2015-05-28 15:32:34 UTC (rev 14841)
@@ -43,7 +43,8 @@
 )
 from twistedcaldav.memcachelock import MemcacheLockTimeoutError
 from twistedcaldav.notifications import NotificationCollectionResource, NotificationResource
-from twistedcaldav.resource import CalDAVResource, DefaultAlarmPropertyMixin
+from twistedcaldav.resource import CalDAVResource, DefaultAlarmPropertyMixin, \
+    requiresPermissions
 from twistedcaldav.scheduling_store.caldav.resource import ScheduleInboxResource
 from twistedcaldav.sharing import (
     invitationBindStatusToXMLMap, invitationBindModeToXMLMap
@@ -169,35 +170,6 @@
 
 
 
-def requiresPermissions(*permissions, **kw):
-    """
-    A decorator to wrap http_ methods in, to indicate that they should not be
-    run until the current user principal has been authorized for the given
-    permission set.
-    """
-    fromParent = kw.get('fromParent')
-    # FIXME: direct unit tests
-    def wrap(thunk):
-        def authAndContinue(self, request, *args, **kwargs):
-            if permissions:
-                d = self.authorize(request, permissions)
-            else:
-                d = succeed(None)
-            if fromParent:
-                d.addCallback(
-                    lambda whatever:
-                        request.locateResource(parentForURL(request.uri))
-                ).addCallback(
-                    lambda parent:
-                        parent.authorize(request, fromParent)
-                )
-            d.addCallback(lambda whatever: thunk(self, request, *args, **kwargs))
-            return d
-        return authAndContinue
-    return wrap
-
-
-
 class _NewStoreFileMetaDataHelper(object):
 
     def exists(self):
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20150528/9af8f950/attachment.html>


More information about the calendarserver-changes mailing list