Some preparations for supporting principal memberships

crates/caldav/src/calendar/methods/mkcalendar.rs

@@ -57,7 +57,7 @@ pub async fn route_mkcalendar<C: CalendarStore>(
     root_span: RootSpan,
 ) -> Result<HttpResponse, Error> {
     let (principal, cal_id) = path.into_inner();
-    if principal != user.id {
+    if !user.is_principal(&principal) {
         return Err(Error::Unauthorized);
     }
 

crates/caldav/src/calendar/methods/post.rs

@@ -23,7 +23,7 @@ pub async fn route_post<C: CalendarStore, S: SubscriptionStore>(
     req: HttpRequest,
 ) -> Result<HttpResponse, Error> {
     let (principal, cal_id) = path.into_inner();
-    if principal != user.id {
+    if !user.is_principal(&principal) {
         return Err(Error::Unauthorized);
     }
 

crates/caldav/src/calendar/methods/report/mod.rs

@@ -34,7 +34,7 @@ pub async fn route_report_calendar<C: CalendarStore>(
     cal_store: Data<C>,
 ) -> Result<impl Responder, Error> {
     let (principal, cal_id) = path.into_inner();
-    if principal != user.id {
+    if !user.is_principal(&principal) {
         return Err(Error::Unauthorized);
     }
 

crates/caldav/src/calendar/resource.rs

@@ -300,10 +300,14 @@ impl Resource for CalendarResource {
 
     fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
         if self.cal.subscription_url.is_some() || self.read_only {
-            return Ok(UserPrivilegeSet::owner_read(self.cal.principal == user.id));
+            return Ok(UserPrivilegeSet::owner_read(
+                user.is_principal(&self.cal.principal),
+            ));
         }
 
-        Ok(UserPrivilegeSet::owner_only(self.cal.principal == user.id))
+        Ok(UserPrivilegeSet::owner_only(
+            user.is_principal(&self.cal.principal),
+        ))
     }
 }
 

crates/caldav/src/calendar_object/methods.rs

@@ -24,12 +24,12 @@ pub async fn get_event<C: CalendarStore>(
         object_id,
     } = path.into_inner();
 
-    if user.id != principal {
+    if !user.is_principal(&principal) {
         return Ok(HttpResponse::Unauthorized().body(""));
     }
 
     let calendar = store.get_calendar(&principal, &cal_id).await?;
-    if user.id != calendar.principal {
+    if !user.is_principal(&calendar.principal) {
         return Ok(HttpResponse::Unauthorized().body(""));
     }
 
@@ -56,7 +56,7 @@ pub async fn put_event<C: CalendarStore>(
         object_id,
     } = path.into_inner();
 
-    if user.id != principal {
+    if !user.is_principal(&principal) {
         return Ok(HttpResponse::Unauthorized().body(""));
     }
 

crates/caldav/src/calendar_object/resource.rs

@@ -91,7 +91,9 @@ impl Resource for CalendarObjectResource {
     }
 
     fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
-        Ok(UserPrivilegeSet::owner_only(self.principal == user.id))
+        Ok(UserPrivilegeSet::owner_only(
+            user.is_principal(&self.principal),
+        ))
     }
 }
 

crates/caldav/src/calendar_set/mod.rs

@@ -55,9 +55,9 @@ impl Resource for CalendarSetResource {
 
     fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
         Ok(if self.read_only {
-            UserPrivilegeSet::owner_read(self.principal == user.id)
+            UserPrivilegeSet::owner_read(user.is_principal(&self.principal))
         } else {
-            UserPrivilegeSet::owner_only(self.principal == user.id)
+            UserPrivilegeSet::owner_only(user.is_principal(&self.principal))
         })
     }
 }

crates/caldav/src/principal/mod.rs

@@ -113,7 +113,9 @@ impl Resource for PrincipalResource {
     }
 
     fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
-        Ok(UserPrivilegeSet::owner_read(self.principal == user.id))
+        Ok(UserPrivilegeSet::owner_read(
+            user.is_principal(&self.principal),
+        ))
     }
 }
 

crates/carddav/src/address_object/methods.rs

@@ -26,8 +26,8 @@ pub async fn get_object<AS: AddressbookStore>(
         object_id,
     } = path.into_inner();
 
-    if user.id != principal {
-        return Ok(HttpResponse::Unauthorized().body(""));
+    if !user.is_principal(&principal) {
+        return Err(Error::Unauthorized);
     }
 
     let addressbook = store.get_addressbook(&principal, &addressbook_id).await?;
@@ -64,8 +64,8 @@ pub async fn put_object<AS: AddressbookStore>(
         object_id,
     } = path.into_inner();
 
-    if user.id != principal {
-        return Ok(HttpResponse::Unauthorized().body(""));
+    if !user.is_principal(&principal) {
+        return Err(Error::Unauthorized);
     }
 
     // TODO: implement If-Match
@@ -79,5 +79,5 @@ pub async fn put_object<AS: AddressbookStore>(
         .put_object(principal, addressbook_id, object, overwrite)
         .await?;
 
-    Ok(HttpResponse::Created().body(""))
+    Ok(HttpResponse::Created().finish())
 }

crates/carddav/src/address_object/resource.rs

@@ -87,7 +87,9 @@ impl Resource for AddressObjectResource {
     }
 
     fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
-        Ok(UserPrivilegeSet::owner_only(self.principal == user.id))
+        Ok(UserPrivilegeSet::owner_only(
+            user.is_principal(&self.principal),
+        ))
     }
 }
 

crates/carddav/src/addressbook/methods/mkcol.rs

@@ -48,7 +48,7 @@ pub async fn route_mkcol<AS: AddressbookStore>(
     root_span: RootSpan,
 ) -> Result<HttpResponse, Error> {
     let (principal, addressbook_id) = path.into_inner();
-    if principal != user.id {
+    if !user.is_principal(&principal) {
         return Err(Error::Unauthorized);
     }
 

crates/carddav/src/addressbook/methods/post.rs

@@ -20,7 +20,7 @@ pub async fn route_post<A: AddressbookStore, S: SubscriptionStore>(
     req: HttpRequest,
 ) -> Result<HttpResponse, Error> {
     let (principal, addressbook_id) = path.into_inner();
-    if principal != user.id {
+    if !user.is_principal(&principal) {
         return Err(Error::Unauthorized);
     }
 

crates/carddav/src/addressbook/methods/report/mod.rs

@@ -30,7 +30,7 @@ pub async fn route_report_addressbook<AS: AddressbookStore>(
     addr_store: Data<AS>,
 ) -> Result<impl Responder, Error> {
     let (principal, addressbook_id) = path.into_inner();
-    if principal != user.id {
+    if !user.is_principal(&principal) {
         return Err(Error::Unauthorized);
     }
 

crates/carddav/src/addressbook/resource.rs

@@ -185,7 +185,9 @@ impl Resource for AddressbookResource {
     }
 
     fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
-        Ok(UserPrivilegeSet::owner_only(self.0.principal == user.id))
+        Ok(UserPrivilegeSet::owner_only(
+            user.is_principal(&self.0.principal),
+        ))
     }
 }
 

crates/carddav/src/principal/mod.rs

@@ -108,7 +108,9 @@ impl Resource for PrincipalResource {
     }
 
     fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
-        Ok(UserPrivilegeSet::owner_only(self.principal == user.id))
+        Ok(UserPrivilegeSet::owner_only(
+            user.is_principal(&self.principal),
+        ))
     }
 }
 

crates/frontend/src/routes/addressbook.rs

@@ -19,7 +19,7 @@ pub async fn route_addressbook<AS: AddressbookStore>(
     user: User,
 ) -> Result<impl Responder, rustical_store::Error> {
     let (owner, addrbook_id) = path.into_inner();
-    if owner != user.id {
+    if !user.is_principal(&owner) {
         return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
     }
     Ok(AddressbookPage {
@@ -35,7 +35,7 @@ pub async fn route_addressbook_restore<AS: AddressbookStore>(
     user: User,
 ) -> Result<impl Responder, rustical_store::Error> {
     let (owner, addressbook_id) = path.into_inner();
-    if owner != user.id {
+    if !user.is_principal(&owner) {
         return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
     }
     store.restore_addressbook(&owner, &addressbook_id).await?;

crates/frontend/src/routes/calendar.rs

@@ -19,7 +19,7 @@ pub async fn route_calendar<C: CalendarStore>(
     user: User,
 ) -> Result<impl Responder, rustical_store::Error> {
     let (owner, cal_id) = path.into_inner();
-    if owner != user.id {
+    if !user.is_principal(&owner) {
         return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
     }
     Ok(CalendarPage {
@@ -35,7 +35,7 @@ pub async fn route_calendar_restore<CS: CalendarStore>(
     user: User,
 ) -> Result<impl Responder, rustical_store::Error> {
     let (owner, cal_id) = path.into_inner();
-    if owner != user.id {
+    if !user.is_principal(&owner) {
         return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
     }
     store.restore_calendar(&owner, &cal_id).await?;

crates/store/src/auth/user.rs

@@ -8,6 +8,7 @@ use serde::{Deserialize, Serialize};
 use std::future::{ready, Ready};
 
 #[derive(Debug, Clone, Deserialize, Serialize)]
+#[serde(deny_unknown_fields)]
 pub struct User {
     pub id: String,
     pub displayname: Option<String>,
@@ -16,6 +17,18 @@ pub struct User {
     pub app_tokens: Vec<String>,
 }
 
+impl User {
+    /// Returns true if the user is either
+    /// - the principal itself
+    /// - has full access to the prinicpal (is member)
+    pub fn is_principal(&self, principal: &str) -> bool {
+        if self.id == principal {
+            return true;
+        }
+        false
+    }
+}
+
 #[derive(Clone, Debug, Display)]
 pub struct UnauthorizedError;