Restrict share handling to the owner only
Otherwise group members can remove the share for the complete group, remove edit permissions and even single user shares for other users. Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
parent
799b229a68
commit
c2d1e6e7ff
|
@ -61,8 +61,12 @@ class Calendar extends \Sabre\CalDAV\Calendar implements IShareable {
|
|||
* @param array $add
|
||||
* @param array $remove
|
||||
* @return void
|
||||
* @throws Forbidden
|
||||
*/
|
||||
function updateShares(array $add, array $remove) {
|
||||
public function updateShares(array $add, array $remove) {
|
||||
if ($this->isShared()) {
|
||||
throw new Forbidden();
|
||||
}
|
||||
/** @var CalDavBackend $calDavBackend */
|
||||
$calDavBackend = $this->caldavBackend;
|
||||
$calDavBackend->updateShares($this, $add, $remove);
|
||||
|
@ -80,7 +84,10 @@ class Calendar extends \Sabre\CalDAV\Calendar implements IShareable {
|
|||
*
|
||||
* @return array
|
||||
*/
|
||||
function getShares() {
|
||||
public function getShares() {
|
||||
if ($this->isShared()) {
|
||||
return [];
|
||||
}
|
||||
/** @var CalDavBackend $calDavBackend */
|
||||
$calDavBackend = $this->caldavBackend;
|
||||
return $calDavBackend->getShares($this->getResourceId());
|
||||
|
@ -136,6 +143,10 @@ class Calendar extends \Sabre\CalDAV\Calendar implements IShareable {
|
|||
];
|
||||
}
|
||||
|
||||
if ($this->isShared()) {
|
||||
return $acl;
|
||||
}
|
||||
|
||||
/** @var CalDavBackend $calDavBackend */
|
||||
$calDavBackend = $this->caldavBackend;
|
||||
return $calDavBackend->applyShareAcl($this->getResourceId(), $acl);
|
||||
|
@ -156,7 +167,7 @@ class Calendar extends \Sabre\CalDAV\Calendar implements IShareable {
|
|||
if (isset($this->calendarInfo['{http://owncloud.org/ns}owner-principal']) &&
|
||||
$this->calendarInfo['{http://owncloud.org/ns}owner-principal'] !== $this->calendarInfo['principaluri']) {
|
||||
$principal = 'principal:' . parent::getOwner();
|
||||
$shares = $this->getShares();
|
||||
$shares = $this->caldavBackend->getShares($this->getResourceId());
|
||||
$shares = array_filter($shares, function($share) use ($principal){
|
||||
return $share['href'] === $principal;
|
||||
});
|
||||
|
|
|
@ -64,8 +64,12 @@ class AddressBook extends \Sabre\CardDAV\AddressBook implements IShareable {
|
|||
* @param array $add
|
||||
* @param array $remove
|
||||
* @return void
|
||||
* @throws Forbidden
|
||||
*/
|
||||
function updateShares(array $add, array $remove) {
|
||||
if ($this->isShared()) {
|
||||
throw new Forbidden();
|
||||
}
|
||||
/** @var CardDavBackend $carddavBackend */
|
||||
$carddavBackend = $this->carddavBackend;
|
||||
$carddavBackend->updateShares($this, $add, $remove);
|
||||
|
@ -84,6 +88,9 @@ class AddressBook extends \Sabre\CardDAV\AddressBook implements IShareable {
|
|||
* @return array
|
||||
*/
|
||||
function getShares() {
|
||||
if ($this->isShared()) {
|
||||
return [];
|
||||
}
|
||||
/** @var CardDavBackend $carddavBackend */
|
||||
$carddavBackend = $this->carddavBackend;
|
||||
return $carddavBackend->getShares($this->getResourceId());
|
||||
|
@ -123,6 +130,10 @@ class AddressBook extends \Sabre\CardDAV\AddressBook implements IShareable {
|
|||
];
|
||||
}
|
||||
|
||||
if ($this->isShared()) {
|
||||
return $acl;
|
||||
}
|
||||
|
||||
/** @var CardDavBackend $carddavBackend */
|
||||
$carddavBackend = $this->carddavBackend;
|
||||
return $carddavBackend->applyShareAcl($this->getResourceId(), $acl);
|
||||
|
@ -160,7 +171,7 @@ class AddressBook extends \Sabre\CardDAV\AddressBook implements IShareable {
|
|||
function delete() {
|
||||
if (isset($this->addressBookInfo['{http://owncloud.org/ns}owner-principal'])) {
|
||||
$principal = 'principal:' . parent::getOwner();
|
||||
$shares = $this->getShares();
|
||||
$shares = $this->carddavBackend->getShares($this->getResourceId());
|
||||
$shares = array_filter($shares, function($share) use ($principal){
|
||||
return $share['href'] === $principal;
|
||||
});
|
||||
|
@ -192,6 +203,14 @@ class AddressBook extends \Sabre\CardDAV\AddressBook implements IShareable {
|
|||
return $cardDavBackend->collectCardProperties($this->getResourceId(), 'CATEGORIES');
|
||||
}
|
||||
|
||||
private function isShared() {
|
||||
if (!isset($this->addressBookInfo['{http://owncloud.org/ns}owner-principal'])) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $this->addressBookInfo['{http://owncloud.org/ns}owner-principal'] !== $this->addressBookInfo['principaluri'];
|
||||
}
|
||||
|
||||
private function canWrite() {
|
||||
if (isset($this->addressBookInfo['{http://owncloud.org/ns}read-only'])) {
|
||||
return !$this->addressBookInfo['{http://owncloud.org/ns}read-only'];
|
||||
|
|
|
@ -143,8 +143,6 @@ class CalDavBackendTest extends AbstractCalDavBackendTest {
|
|||
$this->assertAcl(self::UNIT_TEST_USER, '{DAV:}write', $acl);
|
||||
$this->assertAccess($userCanRead, self::UNIT_TEST_USER1, '{DAV:}read', $acl);
|
||||
$this->assertAccess($userCanWrite, self::UNIT_TEST_USER1, '{DAV:}write', $acl);
|
||||
$this->assertAccess($groupCanRead, self::UNIT_TEST_GROUP, '{DAV:}read', $acl);
|
||||
$this->assertAccess($groupCanWrite, self::UNIT_TEST_GROUP, '{DAV:}write', $acl);
|
||||
$this->assertEquals(self::UNIT_TEST_USER, $calendar->getOwner());
|
||||
|
||||
// test acls on the child
|
||||
|
@ -178,8 +176,6 @@ EOD;
|
|||
$this->assertAcl(self::UNIT_TEST_USER, '{DAV:}write', $acl);
|
||||
$this->assertAccess($userCanRead, self::UNIT_TEST_USER1, '{DAV:}read', $acl);
|
||||
$this->assertAccess($userCanWrite, self::UNIT_TEST_USER1, '{DAV:}write', $acl);
|
||||
$this->assertAccess($groupCanRead, self::UNIT_TEST_GROUP, '{DAV:}read', $acl);
|
||||
$this->assertAccess($groupCanWrite, self::UNIT_TEST_GROUP, '{DAV:}write', $acl);
|
||||
|
||||
// delete the address book
|
||||
$this->dispatcher->expects($this->at(0))
|
||||
|
|
Loading…
Reference in New Issue