mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #22236 from nextcloud/bugfix/noid/dav_sharing_backend_canWrite_isOwner 

CalDAV: Add ability to limit sharing to owner
This commit is contained in:
Morris Jobke 2020-08-18 16:48:43 +02:00 committed by GitHub
parent 92b67409fa 14755d85d6
commit 05df385538
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 41 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
apps/dav/lib/CalDAV/Publishing/PublishPlugin.php
View File

@ -133,7 +133,12 @@ class PublishPlugin extends ServerPlugin {
$canShare = (!$node->isSubscription() && $node->canWrite()); $canShare = (!$node->isSubscription() && $node->canWrite());
$canPublish = (!$node->isSubscription() && $node->canWrite()); $canPublish = (!$node->isSubscription() && $node->canWrite());
return new AllowedSharingModes($canShare, $canPublish); if ($this->config->getAppValue('dav', 'limitAddressBookAndCalendarSharingToOwner', 'no') === 'yes') {
$canShare &= ($node->getOwner() === $node->getPrincipalURI());
$canPublish &= ($node->getOwner() === $node->getPrincipalURI());
}
return new AllowedSharingModes((bool)$canShare, (bool)$canPublish);
}); });
} }
} }
@ -190,7 +195,14 @@ class PublishPlugin extends ServerPlugin {
// If there's no ACL support, we allow everything // If there's no ACL support, we allow everything
if ($acl) { if ($acl) {
/** @var \Sabre\DAVACL\Plugin $acl */
$acl->checkPrivileges($path, '{DAV:}write'); $acl->checkPrivileges($path, '{DAV:}write');
$limitSharingToOwner = $this->config->getAppValue('dav', 'limitAddressBookAndCalendarSharingToOwner', 'no') === 'yes';
$isOwner = $acl->getCurrentUserPrincipal() === $node->getOwner();
if ($limitSharingToOwner && !$isOwner) {
return;
}
} }
$node->setPublishStatus(true); $node->setPublishStatus(true);
@ -218,7 +230,14 @@ class PublishPlugin extends ServerPlugin {
// If there's no ACL support, we allow everything // If there's no ACL support, we allow everything
if ($acl) { if ($acl) {
/** @var \Sabre\DAVACL\Plugin $acl */
$acl->checkPrivileges($path, '{DAV:}write'); $acl->checkPrivileges($path, '{DAV:}write');
$limitSharingToOwner = $this->config->getAppValue('dav', 'limitAddressBookAndCalendarSharingToOwner', 'no') === 'yes';
$isOwner = $acl->getCurrentUserPrincipal() === $node->getOwner();
if ($limitSharingToOwner && !$isOwner) {
return;
}
} }
$node->setPublishStatus(false); $node->setPublishStatus(false);

14
apps/dav/lib/DAV/Sharing/Plugin.php
View File

@ -27,6 +27,7 @@ namespace OCA\DAV\DAV\Sharing;
use OCA\DAV\Connector\Sabre\Auth; use OCA\DAV\Connector\Sabre\Auth;
use OCA\DAV\DAV\Sharing\Xml\Invite; use OCA\DAV\DAV\Sharing\Xml\Invite;
use OCA\DAV\DAV\Sharing\Xml\ShareRequest; use OCA\DAV\DAV\Sharing\Xml\ShareRequest;
use OCP\IConfig;
use OCP\IRequest; use OCP\IRequest;
use Sabre\DAV\Exception\NotFound; use Sabre\DAV\Exception\NotFound;
use Sabre\DAV\INode; use Sabre\DAV\INode;
@ -46,15 +47,20 @@ class Plugin extends ServerPlugin {
/** @var IRequest */ /** @var IRequest */
private $request; private $request;
/** @var IConfig */
private $config;
/** /**
* Plugin constructor. * Plugin constructor.
* *
* @param Auth $authBackEnd * @param Auth $authBackEnd
* @param IRequest $request * @param IRequest $request
* @param IConfig $config
*/ */
public function __construct(Auth $authBackEnd, IRequest $request) { public function __construct(Auth $authBackEnd, IRequest $request, IConfig $config) {
$this->auth = $authBackEnd; $this->auth = $authBackEnd;
$this->request = $request; $this->request = $request;
$this->config = $config;
} }
/** /**
@ -164,6 +170,12 @@ class Plugin extends ServerPlugin {
if ($acl) { if ($acl) {
/** @var \Sabre\DAVACL\Plugin $acl */ /** @var \Sabre\DAVACL\Plugin $acl */
$acl->checkPrivileges($path, '{DAV:}write'); $acl->checkPrivileges($path, '{DAV:}write');
$limitSharingToOwner = $this->config->getAppValue('dav', 'limitAddressBookAndCalendarSharingToOwner', 'no') === 'yes';
$isOwner = $acl->getCurrentUserPrincipal() === $node->getOwner();
if ($limitSharingToOwner && !$isOwner) {
return;
}
} }
$node->updateShares($message->set, $message->remove); $node->updateShares($message->set, $message->remove);

4
apps/dav/lib/Server.php
View File

@ -162,7 +162,7 @@ class Server {
$this->server->addPlugin(new \Sabre\CalDAV\Subscriptions\Plugin()); $this->server->addPlugin(new \Sabre\CalDAV\Subscriptions\Plugin());
$this->server->addPlugin(new \Sabre\CalDAV\Notifications\Plugin()); $this->server->addPlugin(new \Sabre\CalDAV\Notifications\Plugin());
$this->server->addPlugin(new DAV\Sharing\Plugin($authBackend, \OC::$server->getRequest())); $this->server->addPlugin(new DAV\Sharing\Plugin($authBackend, \OC::$server->getRequest(), \OC::$server->getConfig()));
$this->server->addPlugin(new \OCA\DAV\CalDAV\Publishing\PublishPlugin( $this->server->addPlugin(new \OCA\DAV\CalDAV\Publishing\PublishPlugin(
\OC::$server->getConfig(), \OC::$server->getConfig(),
\OC::$server->getURLGenerator() \OC::$server->getURLGenerator()
@ -171,7 +171,7 @@ class Server {
// addressbook plugins // addressbook plugins
if ($this->requestIsForSubtree(['addressbooks', 'principals'])) { if ($this->requestIsForSubtree(['addressbooks', 'principals'])) {
$this->server->addPlugin(new DAV\Sharing\Plugin($authBackend, \OC::$server->getRequest())); $this->server->addPlugin(new DAV\Sharing\Plugin($authBackend, \OC::$server->getRequest(), \OC::$server->getConfig()));
$this->server->addPlugin(new \OCA\DAV\CardDAV\Plugin()); $this->server->addPlugin(new \OCA\DAV\CardDAV\Plugin());
$this->server->addPlugin(new VCFExportPlugin()); $this->server->addPlugin(new VCFExportPlugin());
$this->server->addPlugin(new MultiGetExportPlugin()); $this->server->addPlugin(new MultiGetExportPlugin());

4
apps/dav/tests/unit/CardDAV/Sharing/PluginTest.php
View File

@ -30,6 +30,7 @@ namespace OCA\DAV\Tests\unit\CardDAV\Sharing;
use OCA\DAV\Connector\Sabre\Auth; use OCA\DAV\Connector\Sabre\Auth;
use OCA\DAV\DAV\Sharing\IShareable; use OCA\DAV\DAV\Sharing\IShareable;
use OCA\DAV\DAV\Sharing\Plugin; use OCA\DAV\DAV\Sharing\Plugin;
use OCP\IConfig;
use OCP\IRequest; use OCP\IRequest;
use Sabre\DAV\Server; use Sabre\DAV\Server;
use Sabre\DAV\SimpleCollection; use Sabre\DAV\SimpleCollection;
@ -55,7 +56,8 @@ class PluginTest extends TestCase {
/** @var IRequest $request */ /** @var IRequest $request */
$request = $this->getMockBuilder(IRequest::class)->disableOriginalConstructor()->getMock(); $request = $this->getMockBuilder(IRequest::class)->disableOriginalConstructor()->getMock();
$this->plugin = new Plugin($authBackend, $request); $config = $this->createMock(IConfig::class);
$this->plugin = new Plugin($authBackend, $request, $config);
$root = new SimpleCollection('root'); $root = new SimpleCollection('root');
$this->server = new \Sabre\DAV\Server($root); $this->server = new \Sabre\DAV\Server($root);

4
apps/dav/tests/unit/DAV/Sharing/PluginTest.php
View File

@ -30,6 +30,7 @@ namespace OCA\DAV\Tests\unit\DAV\Sharing;
use OCA\DAV\Connector\Sabre\Auth; use OCA\DAV\Connector\Sabre\Auth;
use OCA\DAV\DAV\Sharing\IShareable; use OCA\DAV\DAV\Sharing\IShareable;
use OCA\DAV\DAV\Sharing\Plugin; use OCA\DAV\DAV\Sharing\Plugin;
use OCP\IConfig;
use OCP\IRequest; use OCP\IRequest;
use Sabre\DAV\Server; use Sabre\DAV\Server;
use Sabre\DAV\SimpleCollection; use Sabre\DAV\SimpleCollection;
@ -55,7 +56,8 @@ class PluginTest extends TestCase {
/** @var IRequest $request */ /** @var IRequest $request */
$request = $this->getMockBuilder(IRequest::class)->disableOriginalConstructor()->getMock(); $request = $this->getMockBuilder(IRequest::class)->disableOriginalConstructor()->getMock();
$this->plugin = new Plugin($authBackend, $request); $config = $this->createMock(IConfig::class);
$this->plugin = new Plugin($authBackend, $request, $config);
$root = new SimpleCollection('root'); $root = new SimpleCollection('root');
$this->server = new \Sabre\DAV\Server($root); $this->server = new \Sabre\DAV\Server($root);