diff --git a/crates/caldav/src/routes/event.rs b/crates/caldav/src/routes/event.rs index 9e51bc8..07a9872 100644 --- a/crates/caldav/src/routes/event.rs +++ b/crates/caldav/src/routes/event.rs @@ -42,10 +42,20 @@ pub async fn delete_event( pub async fn get_event( context: Data>, path: Path<(String, String, String)>, - _auth: AuthInfoExtractor, + auth: AuthInfoExtractor, ) -> Result { // TODO: verify whether user is authorized - let (_principal, cid, mut uid) = path.into_inner(); + let (principal, cid, mut uid) = path.into_inner(); + let auth_info = auth.inner; + if auth_info.user_id != principal { + return Ok(HttpResponse::Unauthorized().body("")); + } + + let calendar = context.store.read().await.get_calendar(&cid).await?; + if auth_info.user_id != calendar.owner { + return Ok(HttpResponse::Unauthorized().body("")); + } + if uid.ends_with(".ics") { uid.truncate(uid.len() - 4); } @@ -60,10 +70,19 @@ pub async fn put_event( context: Data>, path: Path<(String, String, String)>, body: String, - _auth: AuthInfoExtractor, + auth: AuthInfoExtractor, ) -> Result { - // TODO: verify whether user is authorized - let (_principal, cid, mut uid) = path.into_inner(); + let (principal, cid, mut uid) = path.into_inner(); + let auth_info = auth.inner; + if auth_info.user_id != principal { + return Ok(HttpResponse::Unauthorized().body("")); + } + + let calendar = context.store.read().await.get_calendar(&cid).await?; + if auth_info.user_id != calendar.owner { + return Ok(HttpResponse::Unauthorized().body("")); + } + // Incredibly bodged method of normalising the uid but works for a prototype if uid.ends_with(".ics") { uid.truncate(uid.len() - 4);