From 09b3ad042956d0f84a5af74ebb1fe92fbb96f2a0 Mon Sep 17 00:00:00 2001
From: Lennart <18233294+lennart-k@users.noreply.github.com>
Date: Wed, 27 Mar 2024 19:39:37 +0100
Subject: [PATCH] add some authentication

---
 crates/caldav/src/routes/event.rs | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/crates/caldav/src/routes/event.rs b/crates/caldav/src/routes/event.rs
index 9e51bc8..07a9872 100644
--- a/crates/caldav/src/routes/event.rs
+++ b/crates/caldav/src/routes/event.rs
@@ -42,10 +42,20 @@ pub async fn delete_event<A: CheckAuthentication, C: CalendarStore + ?Sized>(
 pub async fn get_event<A: CheckAuthentication, C: CalendarStore + ?Sized>(
     context: Data<CalDavContext<C>>,
     path: Path<(String, String, String)>,
-    _auth: AuthInfoExtractor<A>,
+    auth: AuthInfoExtractor<A>,
 ) -> Result<HttpResponse, Error> {
     // TODO: verify whether user is authorized
-    let (_principal, cid, mut uid) = path.into_inner();
+    let (principal, cid, mut uid) = path.into_inner();
+    let auth_info = auth.inner;
+    if auth_info.user_id != principal {
+        return Ok(HttpResponse::Unauthorized().body(""));
+    }
+
+    let calendar = context.store.read().await.get_calendar(&cid).await?;
+    if auth_info.user_id != calendar.owner {
+        return Ok(HttpResponse::Unauthorized().body(""));
+    }
+
     if uid.ends_with(".ics") {
         uid.truncate(uid.len() - 4);
     }
@@ -60,10 +70,19 @@ pub async fn put_event<A: CheckAuthentication, C: CalendarStore + ?Sized>(
     context: Data<CalDavContext<C>>,
     path: Path<(String, String, String)>,
     body: String,
-    _auth: AuthInfoExtractor<A>,
+    auth: AuthInfoExtractor<A>,
 ) -> Result<HttpResponse, Error> {
-    // TODO: verify whether user is authorized
-    let (_principal, cid, mut uid) = path.into_inner();
+    let (principal, cid, mut uid) = path.into_inner();
+    let auth_info = auth.inner;
+    if auth_info.user_id != principal {
+        return Ok(HttpResponse::Unauthorized().body(""));
+    }
+
+    let calendar = context.store.read().await.get_calendar(&cid).await?;
+    if auth_info.user_id != calendar.owner {
+        return Ok(HttpResponse::Unauthorized().body(""));
+    }
+
     // Incredibly bodged method of normalising the uid but works for a prototype
     if uid.ends_with(".ics") {
         uid.truncate(uid.len() - 4);