nextcloud/apps/dav/lib/carddav/sharing/plugin.php

<?php

namespace OCA\DAV\CardDAV\Sharing;

use OCA\DAV\Connector\Sabre\Auth;
use OCP\IRequest;
use Sabre\DAV\Exception\BadRequest;
use Sabre\DAV\Exception\NotFound;
use Sabre\DAV\Server;
use Sabre\DAV\ServerPlugin;
use Sabre\DAV\XMLUtil;
use Sabre\DAVACL\IACL;
use Sabre\HTTP\RequestInterface;
use Sabre\HTTP\ResponseInterface;

class Plugin extends ServerPlugin {

	/** @var Auth */
	private $auth;

	/** @var IRequest */
	private $request;

	/**
	 * Plugin constructor.
	 *
	 * @param Auth $authBackEnd
	 * @param IRequest $request
	 */
	public function __construct(Auth $authBackEnd, IRequest $request) {
		$this->auth = $authBackEnd;
		$this->request = $request;
	}

	/**
	 * Reference to SabreDAV server object.
	 *
	 * @var \Sabre\DAV\Server
	 */
	protected $server;

	/**
	 * This method should return a list of server-features.
	 *
	 * This is for example 'versioning' and is added to the DAV: header
	 * in an OPTIONS response.
	 *
	 * @return string[]
	 */
	function getFeatures() {

		return ['oc-addressbook-sharing'];

	}

	/**
	 * Returns a plugin name.
	 *
	 * Using this name other plugins will be able to access other plugins
	 * using Sabre\DAV\Server::getPlugin
	 *
	 * @return string
	 */
	function getPluginName() {

		return 'carddav-sharing';

	}

	/**
	 * This initializes the plugin.
	 *
	 * This function is called by Sabre\DAV\Server, after
	 * addPlugin is called.
	 *
	 * This method should set up the required event subscriptions.
	 *
	 * @param Server $server
	 * @return void
	 */
	function initialize(Server $server) {
		$this->server = $server;
		$server->resourceTypeMapping['OCA\\DAV\CardDAV\\ISharedAddressbook'] = '{' . \Sabre\CardDAV\Plugin::NS_CARDDAV . '}shared';
		$this->server->xml->elementMap['{' . \Sabre\CardDAV\Plugin::NS_CARDDAV . '}share'] = 'OCA\\DAV\\CardDAV\\Sharing\\Xml\\ShareRequest';

		$this->server->on('method:POST', [$this, 'httpPost']);
	}

	/**
	 * We intercept this to handle POST requests on calendars.
	 *
	 * @param RequestInterface $request
	 * @param ResponseInterface $response
	 * @return null|false
	 */
	function httpPost(RequestInterface $request, ResponseInterface $response) {

		$path = $request->getPath();

		// Only handling xml
		$contentType = $request->getHeader('Content-Type');
		if (strpos($contentType, 'application/xml') === false && strpos($contentType, 'text/xml') === false)
			return;

		// Making sure the node exists
		try {
			$node = $this->server->tree->getNodeForPath($path);
		} catch (NotFound $e) {
			return;
		}

		// CSRF protection
		$this->protectAgainstCSRF();

		$requestBody = $request->getBodyAsString();

		// If this request handler could not deal with this POST request, it
		// will return 'null' and other plugins get a chance to handle the
		// request.
		//
		// However, we already requested the full body. This is a problem,
		// because a body can only be read once. This is why we preemptively
		// re-populated the request body with the existing data.
		$request->setBody($requestBody);

		$message = $this->server->xml->parse($requestBody, $request->getUrl(), $documentType);

		switch ($documentType) {

			// Dealing with the 'share' document, which modified invitees on a
			// calendar.
			case '{' . \Sabre\CardDAV\Plugin::NS_CARDDAV . '}share' :

				// We can only deal with IShareableCalendar objects
				if (!$node instanceof IShareableAddressBook) {
					return;
				}

				$this->server->transactionType = 'post-oc-addressbook-share';

				// Getting ACL info
				$acl = $this->server->getPlugin('acl');

				// If there's no ACL support, we allow everything
				if ($acl) {
					/** @var \Sabre\DAVACL\Plugin $acl */
					$acl->checkPrivileges($path, '{DAV:}write');
				}

				$node->updateShares($message->set, $message->remove);

				$response->setStatus(200);
				// Adding this because sending a response body may cause issues,
				// and I wanted some type of indicator the response was handled.
				$response->setHeader('X-Sabre-Status', 'everything-went-well');

				// Breaking the event chain
				return false;
		}
	}

	private function protectAgainstCSRF() {
		$user = $this->auth->getCurrentUser();
		if ($this->auth->isDavAuthenticated($user)) {
			return true;
		}

		if ($this->request->passesCSRFCheck()) {
			return true;
		}

		throw new BadRequest();
	}


}
Addressbook sharing added based on a simplified approach which is based on calendar sharing standard 2015-11-05 18:46:37 +03:00			`<?php`

			`namespace OCA\DAV\CardDAV\Sharing;`

Implement CSRF protection 2015-11-10 09:54:35 +03:00			`use OCA\DAV\Connector\Sabre\Auth;`
			`use OCP\IRequest;`
			`use Sabre\DAV\Exception\BadRequest;`
Addressbook sharing added based on a simplified approach which is based on calendar sharing standard 2015-11-05 18:46:37 +03:00			`use Sabre\DAV\Exception\NotFound;`
			`use Sabre\DAV\Server;`
			`use Sabre\DAV\ServerPlugin;`
			`use Sabre\DAV\XMLUtil;`
Fix carddav sharing plugin + adding unit tests 2015-12-14 18:14:35 +03:00			`use Sabre\DAVACL\IACL;`
Addressbook sharing added based on a simplified approach which is based on calendar sharing standard 2015-11-05 18:46:37 +03:00			`use Sabre\HTTP\RequestInterface;`
			`use Sabre\HTTP\ResponseInterface;`

			`class Plugin extends ServerPlugin {`

Fix carddav sharing plugin + adding unit tests 2015-12-14 18:14:35 +03:00			`/** @var Auth */`
			`private $auth;`

			`/** @var IRequest */`
			`private $request;`

			`/**`
			`* Plugin constructor.`
			`*`
			`* @param Auth $authBackEnd`
			`* @param IRequest $request`
			`*/`
Implement CSRF protection 2015-11-10 09:54:35 +03:00			`public function __construct(Auth $authBackEnd, IRequest $request) {`
			`$this->auth = $authBackEnd;`
			`$this->request = $request;`
			`}`

Addressbook sharing added based on a simplified approach which is based on calendar sharing standard 2015-11-05 18:46:37 +03:00			`/**`
			`* Reference to SabreDAV server object.`
			`*`
			`* @var \Sabre\DAV\Server`
			`*/`
			`protected $server;`

			`/**`
			`* This method should return a list of server-features.`
			`*`
			`* This is for example 'versioning' and is added to the DAV: header`
			`* in an OPTIONS response.`
			`*`
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 2015-11-27 18:32:44 +03:00			`* @return string[]`
Addressbook sharing added based on a simplified approach which is based on calendar sharing standard 2015-11-05 18:46:37 +03:00			`*/`
			`function getFeatures() {`

			`return ['oc-addressbook-sharing'];`

			`}`

			`/**`
			`* Returns a plugin name.`
			`*`
			`* Using this name other plugins will be able to access other plugins`
			`* using Sabre\DAV\Server::getPlugin`
			`*`
			`* @return string`
			`*/`
			`function getPluginName() {`

			`return 'carddav-sharing';`

			`}`

			`/**`
			`* This initializes the plugin.`
			`*`
			`* This function is called by Sabre\DAV\Server, after`
			`* addPlugin is called.`
			`*`
			`* This method should set up the required event subscriptions.`
			`*`
			`* @param Server $server`
			`* @return void`
			`*/`
			`function initialize(Server $server) {`
			`$this->server = $server;`
			`$server->resourceTypeMapping['OCA\\DAV\CardDAV\\ISharedAddressbook'] = '{' . \Sabre\CardDAV\Plugin::NS_CARDDAV . '}shared';`
Fix carddav sharing plugin + adding unit tests 2015-12-14 18:14:35 +03:00			`$this->server->xml->elementMap['{' . \Sabre\CardDAV\Plugin::NS_CARDDAV . '}share'] = 'OCA\\DAV\\CardDAV\\Sharing\\Xml\\ShareRequest';`
Addressbook sharing added based on a simplified approach which is based on calendar sharing standard 2015-11-05 18:46:37 +03:00
			`$this->server->on('method:POST', [$this, 'httpPost']);`
			`}`

			`/**`
			`* We intercept this to handle POST requests on calendars.`
			`*`
			`* @param RequestInterface $request`
			`* @param ResponseInterface $response`
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 2015-11-27 18:32:44 +03:00			`* @return null\|false`
Addressbook sharing added based on a simplified approach which is based on calendar sharing standard 2015-11-05 18:46:37 +03:00			`*/`
			`function httpPost(RequestInterface $request, ResponseInterface $response) {`

			`$path = $request->getPath();`

			`// Only handling xml`
			`$contentType = $request->getHeader('Content-Type');`
			`if (strpos($contentType, 'application/xml') === false && strpos($contentType, 'text/xml') === false)`
			`return;`

			`// Making sure the node exists`
			`try {`
			`$node = $this->server->tree->getNodeForPath($path);`
			`} catch (NotFound $e) {`
			`return;`
			`}`

Implement CSRF protection 2015-11-10 09:54:35 +03:00			`// CSRF protection`
			`$this->protectAgainstCSRF();`

Addressbook sharing added based on a simplified approach which is based on calendar sharing standard 2015-11-05 18:46:37 +03:00			`$requestBody = $request->getBodyAsString();`

			`// If this request handler could not deal with this POST request, it`
			`// will return 'null' and other plugins get a chance to handle the`
			`// request.`
			`//`
			`// However, we already requested the full body. This is a problem,`
			`// because a body can only be read once. This is why we preemptively`
			`// re-populated the request body with the existing data.`
			`$request->setBody($requestBody);`

Fix carddav sharing plugin + adding unit tests 2015-12-14 18:14:35 +03:00			`$message = $this->server->xml->parse($requestBody, $request->getUrl(), $documentType);`
Addressbook sharing added based on a simplified approach which is based on calendar sharing standard 2015-11-05 18:46:37 +03:00
			`switch ($documentType) {`

			`// Dealing with the 'share' document, which modified invitees on a`
			`// calendar.`
			`case '{' . \Sabre\CardDAV\Plugin::NS_CARDDAV . '}share' :`

			`// We can only deal with IShareableCalendar objects`
			`if (!$node instanceof IShareableAddressBook) {`
			`return;`
			`}`

Fix carddav sharing plugin + adding unit tests 2015-12-14 18:14:35 +03:00			`$this->server->transactionType = 'post-oc-addressbook-share';`
Addressbook sharing added based on a simplified approach which is based on calendar sharing standard 2015-11-05 18:46:37 +03:00
			`// Getting ACL info`
			`$acl = $this->server->getPlugin('acl');`

			`// If there's no ACL support, we allow everything`
			`if ($acl) {`
Fix carddav sharing plugin + adding unit tests 2015-12-14 18:14:35 +03:00			`/** @var \Sabre\DAVACL\Plugin $acl */`
Addressbook sharing added based on a simplified approach which is based on calendar sharing standard 2015-11-05 18:46:37 +03:00			`$acl->checkPrivileges($path, '{DAV:}write');`
			`}`

Fix carddav sharing plugin + adding unit tests 2015-12-14 18:14:35 +03:00			`$node->updateShares($message->set, $message->remove);`
Addressbook sharing added based on a simplified approach which is based on calendar sharing standard 2015-11-05 18:46:37 +03:00
			`$response->setStatus(200);`
			`// Adding this because sending a response body may cause issues,`
			`// and I wanted some type of indicator the response was handled.`
			`$response->setHeader('X-Sabre-Status', 'everything-went-well');`

			`// Breaking the event chain`
			`return false;`
			`}`
			`}`

Implement CSRF protection 2015-11-10 09:54:35 +03:00			`private function protectAgainstCSRF() {`
			`$user = $this->auth->getCurrentUser();`
			`if ($this->auth->isDavAuthenticated($user)) {`
			`return true;`
			`}`

			`if ($this->request->passesCSRFCheck()) {`
			`return true;`
			`}`

			`throw new BadRequest();`
			`}`

Addressbook sharing added based on a simplified approach which is based on calendar sharing standard 2015-11-05 18:46:37 +03:00
			`}`