Improvement to access control

2025-12-13 21:42:34 +00:00 · 2024-10-31 21:18:41 +01:00
parent c484a17911
commit 0c14f8ba90
24 changed files with 394 additions and 215 deletions
--- a/crates/caldav/src/calendar/methods/report/calendar_multiget.rs
+++ b/crates/caldav/src/calendar/methods/report/calendar_multiget.rs
@@ -16,7 +16,7 @@ use rustical_dav::{
        MultistatusElement,
    },
 };
-use rustical_store::{CalendarObject, CalendarStore};
+use rustical_store::{auth::User, CalendarObject, CalendarStore};
 use serde::Deserialize;

 #[derive(Deserialize, Clone, Debug)]
@@ -65,6 +65,7 @@ pub async fn get_objects_calendar_multiget<C: CalendarStore + ?Sized>(
 pub async fn handle_calendar_multiget<C: CalendarStore + ?Sized>(
    cal_multiget: CalendarMultigetRequest,
    req: HttpRequest,
+    user: &User,
    principal: &str,
    cal_id: &str,
    cal_store: &C,
@@ -88,11 +89,13 @@ pub async fn handle_calendar_multiget<C: CalendarStore + ?Sized>(
    let mut responses = Vec::new();
    for object in objects {
        let path = format!("{}/{}", req.path(), object.get_id());
-        responses.push(CalendarObjectResource::from(object).propfind(
-            &path,
-            props.clone(),
-            req.resource_map(),
-        )?);
+        responses.push(
+            CalendarObjectResource {
+                object,
+                principal: principal.to_owned(),
+            }
+            .propfind(&path, props.clone(), user, req.resource_map())?,
+        );
    }

    let not_found_responses = not_found
--- a/crates/caldav/src/calendar/methods/report/calendar_query.rs
+++ b/crates/caldav/src/calendar/methods/report/calendar_query.rs
@@ -5,7 +5,7 @@ use rustical_dav::{
    resource::Resource,
    xml::{multistatus::PropstatWrapper, MultistatusElement},
 };
-use rustical_store::{CalendarObject, CalendarStore};
+use rustical_store::{auth::User, CalendarObject, CalendarStore};
 use serde::Deserialize;

 use crate::{
@@ -206,6 +206,7 @@ pub async fn get_objects_calendar_query<C: CalendarStore + ?Sized>(
 pub async fn handle_calendar_query<C: CalendarStore + ?Sized>(
    cal_query: CalendarQueryRequest,
    req: HttpRequest,
+    user: &User,
    principal: &str,
    cal_id: &str,
    cal_store: &C,
@@ -230,11 +231,13 @@ pub async fn handle_calendar_query<C: CalendarStore + ?Sized>(
            vec![principal, cal_id, object.get_id()],
        )
        .unwrap();
-        responses.push(CalendarObjectResource::from(object).propfind(
-            &path,
-            props.clone(),
-            req.resource_map(),
-        )?);
+        responses.push(
+            CalendarObjectResource {
+                object,
+                principal: principal.to_owned(),
+            }
+            .propfind(&path, props.clone(), user, req.resource_map())?,
+        );
    }

    Ok(MultistatusElement {
--- a/crates/caldav/src/calendar/methods/report/mod.rs
+++ b/crates/caldav/src/calendar/methods/report/mod.rs
@@ -47,16 +47,32 @@ pub async fn route_report_calendar<C: CalendarStore + ?Sized>(

    Ok(match request.clone() {
        ReportRequest::CalendarQuery(cal_query) => {
-            handle_calendar_query(cal_query, req, &principal, &cal_id, cal_store.as_ref()).await?
+            handle_calendar_query(
+                cal_query,
+                req,
+                &user,
+                &principal,
+                &cal_id,
+                cal_store.as_ref(),
+            )
+            .await?
        }
        ReportRequest::CalendarMultiget(cal_multiget) => {
-            handle_calendar_multiget(cal_multiget, req, &principal, &cal_id, cal_store.as_ref())
-                .await?
+            handle_calendar_multiget(
+                cal_multiget,
+                req,
+                &user,
+                &principal,
+                &cal_id,
+                cal_store.as_ref(),
+            )
+            .await?
        }
        ReportRequest::SyncCollection(sync_collection) => {
            handle_sync_collection(
                sync_collection,
                req,
+                &user,
                &principal,
                &cal_id,
                cal_store.as_ref(),
--- a/crates/caldav/src/calendar/methods/report/sync_collection.rs
+++ b/crates/caldav/src/calendar/methods/report/sync_collection.rs
@@ -8,6 +8,7 @@ use rustical_dav::{
    },
 };
 use rustical_store::{
+    auth::User,
    synctoken::{format_synctoken, parse_synctoken},
    CalendarStore,
 };
@@ -44,6 +45,7 @@ pub struct SyncCollectionRequest {
 pub async fn handle_sync_collection<C: CalendarStore + ?Sized>(
    sync_collection: SyncCollectionRequest,
    req: HttpRequest,
+    user: &User,
    principal: &str,
    cal_id: &str,
    cal_store: &C,
@@ -71,11 +73,13 @@ pub async fn handle_sync_collection<C: CalendarStore + ?Sized>(
            vec![principal, cal_id, &object.get_id()],
        )
        .unwrap();
-        responses.push(CalendarObjectResource::from(object).propfind(
-            &path,
-            props.clone(),
-            req.resource_map(),
-        )?);
+        responses.push(
+            CalendarObjectResource {
+                object,
+                principal: principal.to_owned(),
+            }
+            .propfind(&path, props.clone(), user, req.resource_map())?,
+        );
    }

    for object_id in deleted_objects {
--- a/crates/caldav/src/calendar/prop.rs
+++ b/crates/caldav/src/calendar/prop.rs
@@ -47,55 +47,6 @@ pub struct Resourcetype {
    collection: (),
 }

-#[derive(Debug, Clone, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub enum UserPrivilege {
-    Read,
-    ReadAcl,
-    Write,
-    WriteAcl,
-    WriteContent,
-    ReadCurrentUserPrivilegeSet,
-    Bind,
-    Unbind,
-}
-
-#[derive(Debug, Clone, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct UserPrivilegeWrapper {
-    #[serde(rename = "$value")]
-    privilege: UserPrivilege,
-}
-
-impl From<UserPrivilege> for UserPrivilegeWrapper {
-    fn from(value: UserPrivilege) -> Self {
-        Self { privilege: value }
-    }
-}
-
-#[derive(Debug, Clone, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct UserPrivilegeSet {
-    privilege: Vec<UserPrivilegeWrapper>,
-}
-
-impl Default for UserPrivilegeSet {
-    fn default() -> Self {
-        Self {
-            privilege: vec![
-                UserPrivilege::Read.into(),
-                UserPrivilege::ReadAcl.into(),
-                UserPrivilege::Write.into(),
-                UserPrivilege::WriteAcl.into(),
-                UserPrivilege::WriteContent.into(),
-                UserPrivilege::ReadCurrentUserPrivilegeSet.into(),
-                UserPrivilege::Bind.into(),
-                UserPrivilege::Unbind.into(),
-            ],
-        }
-    }
-}
-
 #[derive(Debug, Clone, Deserialize, Serialize)]
 #[serde(rename_all = "kebab-case")]
 pub enum ReportMethod {
--- a/crates/caldav/src/calendar/resource.rs
+++ b/crates/caldav/src/calendar/resource.rs
@@ -2,7 +2,7 @@ use super::methods::mkcalendar::route_mkcalendar;
 use super::methods::report::route_report_calendar;
 use super::prop::{
    Resourcetype, SupportedCalendarComponent, SupportedCalendarComponentSet, SupportedCalendarData,
-    SupportedReportSet, UserPrivilegeSet,
+    SupportedReportSet,
 };
 use crate::calendar_object::resource::CalendarObjectResource;
 use crate::principal::PrincipalResource;
@@ -13,6 +13,7 @@ use actix_web::web;
 use actix_web::{web::Data, HttpRequest};
 use async_trait::async_trait;
 use derive_more::derive::{From, Into};
+use rustical_dav::privileges::UserPrivilegeSet;
 use rustical_dav::resource::{InvalidProperty, Resource, ResourceService};
 use rustical_dav::xml::HrefElement;
 use rustical_store::auth::User;
@@ -43,7 +44,7 @@ pub enum CalendarPropName {
    SupportedCalendarComponentSet,
    SupportedCalendarData,
    Getcontenttype,
-    CurrentUserPrivilegeSet,
+    // CurrentUserPrivilegeSet,
    MaxResourceSize,
    SupportedReportSet,
    SyncToken,
@@ -63,7 +64,7 @@ pub enum CalendarProp {

    // WebDAV Access Control (RFC 3744)
    Owner(HrefElement),
-    CurrentUserPrivilegeSet(UserPrivilegeSet),
+    // CurrentUserPrivilegeSet(UserPrivilegeSet),

    // CalDAV (RFC 4791)
    #[serde(rename = "IC:calendar-color", alias = "calendar-color")]
@@ -113,6 +114,7 @@ impl Resource for CalendarResource {
    fn get_prop(
        &self,
        rmap: &ResourceMap,
+        user: &User,
        prop: Self::PropName,
    ) -> Result<Self::Prop, Self::Error> {
        Ok(match prop {
@@ -156,9 +158,9 @@ impl Resource for CalendarResource {
                CalendarProp::Getcontenttype("text/calendar;charset=utf-8".to_owned())
            }
            CalendarPropName::MaxResourceSize => CalendarProp::MaxResourceSize(10000000),
-            CalendarPropName::CurrentUserPrivilegeSet => {
-                CalendarProp::CurrentUserPrivilegeSet(UserPrivilegeSet::default())
-            }
+            // CalendarPropName::CurrentUserPrivilegeSet => {
+            //     CalendarProp::CurrentUserPrivilegeSet(user_privileges.to_owned())
+            // }
            CalendarPropName::SupportedReportSet => {
                CalendarProp::SupportedReportSet(SupportedReportSet::default())
            }
@@ -198,7 +200,7 @@ impl Resource for CalendarResource {
            CalendarProp::SupportedCalendarData(_) => Err(rustical_dav::Error::PropReadOnly),
            CalendarProp::Getcontenttype(_) => Err(rustical_dav::Error::PropReadOnly),
            CalendarProp::MaxResourceSize(_) => Err(rustical_dav::Error::PropReadOnly),
-            CalendarProp::CurrentUserPrivilegeSet(_) => Err(rustical_dav::Error::PropReadOnly),
+            // CalendarProp::CurrentUserPrivilegeSet(_) => Err(rustical_dav::Error::PropReadOnly),
            CalendarProp::SupportedReportSet(_) => Err(rustical_dav::Error::PropReadOnly),
            CalendarProp::SyncToken(_) => Err(rustical_dav::Error::PropReadOnly),
            CalendarProp::Getctag(_) => Err(rustical_dav::Error::PropReadOnly),
@@ -237,7 +239,7 @@ impl Resource for CalendarResource {
            CalendarPropName::SupportedCalendarData => Err(rustical_dav::Error::PropReadOnly),
            CalendarPropName::Getcontenttype => Err(rustical_dav::Error::PropReadOnly),
            CalendarPropName::MaxResourceSize => Err(rustical_dav::Error::PropReadOnly),
-            CalendarPropName::CurrentUserPrivilegeSet => Err(rustical_dav::Error::PropReadOnly),
+            // CalendarPropName::CurrentUserPrivilegeSet => Err(rustical_dav::Error::PropReadOnly),
            CalendarPropName::SupportedReportSet => Err(rustical_dav::Error::PropReadOnly),
            CalendarPropName::SyncToken => Err(rustical_dav::Error::PropReadOnly),
            CalendarPropName::Getctag => Err(rustical_dav::Error::PropReadOnly),
@@ -248,6 +250,10 @@ impl Resource for CalendarResource {
    fn resource_name() -> &'static str {
        "caldav_calendar"
    }
+
+    fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
+        Ok(UserPrivilegeSet::owner_only(self.0.principal == user.id))
+    }
 }

 #[async_trait(?Send)]
@@ -257,10 +263,7 @@ impl<C: CalendarStore + ?Sized> ResourceService for CalendarResourceService<C> {
    type Resource = CalendarResource;
    type Error = Error;

-    async fn get_resource(&self, user: User) -> Result<Self::Resource, Error> {
-        if self.principal != user.id {
-            return Err(Error::Unauthorized);
-        }
+    async fn get_resource(&self) -> Result<Self::Resource, Error> {
        let calendar = self
            .cal_store
            .get_calendar(&self.principal, &self.calendar_id)
@@ -285,7 +288,10 @@ impl<C: CalendarStore + ?Sized> ResourceService for CalendarResourceService<C> {
                        vec![&self.principal, &self.calendar_id, object.get_id()],
                    )
                    .unwrap(),
-                    object.into(),
+                    CalendarObjectResource {
+                        object,
+                        principal: self.principal.to_owned(),
+                    },
                )
            })
            .collect())
--- a/crates/caldav/src/calendar_object/resource.rs
+++ b/crates/caldav/src/calendar_object/resource.rs
@@ -1,9 +1,13 @@
 use super::methods::{get_event, put_event};
-use crate::Error;
+use crate::{principal::PrincipalResource, Error};
 use actix_web::{dev::ResourceMap, web::Data, HttpRequest};
 use async_trait::async_trait;
 use derive_more::derive::{From, Into};
-use rustical_dav::resource::{InvalidProperty, Resource, ResourceService};
+use rustical_dav::{
+    privileges::UserPrivilegeSet,
+    resource::{InvalidProperty, Resource, ResourceService},
+    xml::HrefElement,
+};
 use rustical_store::{auth::User, CalendarObject, CalendarStore};
 use serde::{Deserialize, Serialize};
 use std::sync::Arc;
@@ -23,6 +27,9 @@ pub enum CalendarObjectPropName {
    Getetag,
    CalendarData,
    Getcontenttype,
+    CurrentUserPrincipal,
+    Owner,
+    CurrentUserPrivilegeSet,
 }

 #[derive(Deserialize, Serialize, Debug, Clone)]
@@ -35,6 +42,13 @@ pub enum CalendarObjectProp {
    // CalDAV (RFC 4791)
    #[serde(rename = "C:calendar-data")]
    CalendarData(String),
+
+    // WebDAV Current Principal Extension (RFC 5397)
+    CurrentUserPrincipal(HrefElement),
+
+    // WebDAV Access Control (RFC 3744)
+    Owner(HrefElement),
+    CurrentUserPrivilegeSet(UserPrivilegeSet),
    #[serde(other)]
    Invalid,
 }
@@ -46,7 +60,10 @@ impl InvalidProperty for CalendarObjectProp {
 }

 #[derive(Clone, From, Into)]
-pub struct CalendarObjectResource(CalendarObject);
+pub struct CalendarObjectResource {
+    pub object: CalendarObject,
+    pub principal: String,
+}

 impl Resource for CalendarObjectResource {
    type PropName = CalendarObjectPropName;
@@ -55,17 +72,29 @@ impl Resource for CalendarObjectResource {

    fn get_prop(
        &self,
-        _rmap: &ResourceMap,
+        rmap: &ResourceMap,
+        user: &User,
        prop: Self::PropName,
    ) -> Result<Self::Prop, Self::Error> {
        Ok(match prop {
-            CalendarObjectPropName::Getetag => CalendarObjectProp::Getetag(self.0.get_etag()),
+            CalendarObjectPropName::Getetag => CalendarObjectProp::Getetag(self.object.get_etag()),
            CalendarObjectPropName::CalendarData => {
-                CalendarObjectProp::CalendarData(self.0.get_ics().to_owned())
+                CalendarObjectProp::CalendarData(self.object.get_ics().to_owned())
            }
            CalendarObjectPropName::Getcontenttype => {
                CalendarObjectProp::Getcontenttype("text/calendar;charset=utf-8".to_owned())
            }
+            CalendarObjectPropName::CurrentUserPrincipal => {
+                CalendarObjectProp::CurrentUserPrincipal(HrefElement::new(
+                    PrincipalResource::get_principal_url(rmap, &user.id),
+                ))
+            }
+            CalendarObjectPropName::Owner => CalendarObjectProp::Owner(
+                PrincipalResource::get_principal_url(rmap, &self.principal).into(),
+            ),
+            CalendarObjectPropName::CurrentUserPrivilegeSet => {
+                CalendarObjectProp::CurrentUserPrivilegeSet(self.get_user_privileges(&user)?)
+            }
        })
    }

@@ -73,6 +102,10 @@ impl Resource for CalendarObjectResource {
    fn resource_name() -> &'static str {
        "caldav_calendar_object"
    }
+
+    fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
+        Ok(UserPrivilegeSet::owner_only(self.principal == user.id))
+    }
 }

 #[derive(Debug, Clone)]
@@ -132,15 +165,15 @@ impl<C: CalendarStore + ?Sized> ResourceService for CalendarObjectResourceServic
        })
    }

-    async fn get_resource(&self, user: User) -> Result<Self::Resource, Self::Error> {
-        if self.principal != user.id {
-            return Err(Error::Unauthorized);
-        }
-        let event = self
+    async fn get_resource(&self) -> Result<Self::Resource, Self::Error> {
+        let object = self
            .cal_store
            .get_object(&self.principal, &self.cal_id, &self.object_id)
            .await?;
-        Ok(event.into())
+        Ok(CalendarObjectResource {
+            object,
+            principal: self.principal.to_owned(),
+        })
    }

    async fn save_resource(&self, _file: Self::Resource) -> Result<(), Self::Error> {
--- a/crates/caldav/src/principal/mod.rs
+++ b/crates/caldav/src/principal/mod.rs
@@ -4,6 +4,7 @@ use actix_web::dev::ResourceMap;
 use actix_web::web::Data;
 use actix_web::HttpRequest;
 use async_trait::async_trait;
+use rustical_dav::privileges::UserPrivilegeSet;
 use rustical_dav::resource::{InvalidProperty, Resource, ResourceService};
 use rustical_dav::xml::HrefElement;
 use rustical_store::auth::User;
@@ -42,6 +43,10 @@ pub enum PrincipalProp {
    // WebDAV Current Principal Extension (RFC 5397)
    CurrentUserPrincipal(HrefElement),

+    // WebDAV Access Control (RFC 3744)
+    Owner(HrefElement),
+    CurrentUserPrivilegeSet(UserPrivilegeSet),
+
    // CalDAV (RFC 4791)
    #[serde(rename = "C:calendar-home-set")]
    CalendarHomeSet(HrefElement),
@@ -63,12 +68,20 @@ impl InvalidProperty for PrincipalProp {
 pub enum PrincipalPropName {
    Resourcetype,
    CurrentUserPrincipal,
+    Owner,
+    CurrentUserPrivilegeSet,
    #[strum(serialize = "principal-URL")]
    PrincipalUrl,
    CalendarHomeSet,
    CalendarUserAddressSet,
 }

+impl PrincipalResource {
+    pub fn get_principal_url(rmap: &ResourceMap, principal: &str) -> String {
+        Self::get_url(rmap, vec![principal]).unwrap()
+    }
+}
+
 impl Resource for PrincipalResource {
    type PropName = PrincipalPropName;
    type Prop = PrincipalProp;
@@ -77,6 +90,7 @@ impl Resource for PrincipalResource {
    fn get_prop(
        &self,
        rmap: &ResourceMap,
+        user: &User,
        prop: Self::PropName,
    ) -> Result<Self::Prop, Self::Error> {
        let principal_href = HrefElement::new(Self::get_url(rmap, vec![&self.principal]).unwrap());
@@ -86,6 +100,12 @@ impl Resource for PrincipalResource {
            PrincipalPropName::CurrentUserPrincipal => {
                PrincipalProp::CurrentUserPrincipal(principal_href)
            }
+            PrincipalPropName::Owner => PrincipalProp::Owner(HrefElement::new(
+                PrincipalResource::get_url(rmap, vec![&self.principal]).unwrap(),
+            )),
+            PrincipalPropName::CurrentUserPrivilegeSet => {
+                PrincipalProp::CurrentUserPrivilegeSet(self.get_user_privileges(user)?)
+            }
            PrincipalPropName::PrincipalUrl => PrincipalProp::PrincipalUrl(principal_href),
            PrincipalPropName::CalendarHomeSet => PrincipalProp::CalendarHomeSet(principal_href),
            PrincipalPropName::CalendarUserAddressSet => {
@@ -98,6 +118,10 @@ impl Resource for PrincipalResource {
    fn resource_name() -> &'static str {
        "caldav_principal"
    }
+
+    fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
+        Ok(UserPrivilegeSet::owner_only(self.principal == user.id))
+    }
 }

 #[async_trait(?Send)]
@@ -123,10 +147,7 @@ impl<C: CalendarStore + ?Sized> ResourceService for PrincipalResourceService<C>
        })
    }

-    async fn get_resource(&self, user: User) -> Result<Self::Resource, Self::Error> {
-        if self.principal != user.id {
-            return Err(Error::Unauthorized);
-        }
+    async fn get_resource(&self) -> Result<Self::Resource, Self::Error> {
        Ok(PrincipalResource {
            principal: self.principal.to_owned(),
        })
--- a/crates/caldav/src/root/mod.rs
+++ b/crates/caldav/src/root/mod.rs
@@ -3,6 +3,7 @@ use crate::Error;
 use actix_web::dev::ResourceMap;
 use actix_web::HttpRequest;
 use async_trait::async_trait;
+use rustical_dav::privileges::UserPrivilegeSet;
 use rustical_dav::resource::{InvalidProperty, Resource, ResourceService};
 use rustical_dav::xml::HrefElement;
 use rustical_store::auth::User;
@@ -13,8 +14,8 @@ use strum::{EnumString, VariantNames};
 #[strum(serialize_all = "kebab-case")]
 pub enum RootPropName {
    Resourcetype,
-    // Defined by RFC 5397
    CurrentUserPrincipal,
+    CurrentUserPrivilegeSet,
 }

 #[derive(Deserialize, Serialize, Default, Debug)]
@@ -31,6 +32,10 @@ pub enum RootProp {

    // WebDAV Current Principal Extension (RFC 5397)
    CurrentUserPrincipal(HrefElement),
+
+    // WebDAV Access Control Protocol (RFC 3477)
+    CurrentUserPrivilegeSet(UserPrivilegeSet),
+
    #[serde(other)]
    Invalid,
 }
@@ -42,9 +47,7 @@ impl InvalidProperty for RootProp {
 }

 #[derive(Clone)]
-pub struct RootResource {
-    principal: String,
-}
+pub struct RootResource;

 impl Resource for RootResource {
    type PropName = RootPropName;
@@ -54,13 +57,17 @@ impl Resource for RootResource {
    fn get_prop(
        &self,
        rmap: &ResourceMap,
+        user: &User,
        prop: Self::PropName,
    ) -> Result<Self::Prop, Self::Error> {
        Ok(match prop {
            RootPropName::Resourcetype => RootProp::Resourcetype(Resourcetype::default()),
            RootPropName::CurrentUserPrincipal => RootProp::CurrentUserPrincipal(HrefElement::new(
-                PrincipalResource::get_url(rmap, vec![&self.principal]).unwrap(),
+                PrincipalResource::get_url(rmap, vec![&user.id]).unwrap(),
            )),
+            RootPropName::CurrentUserPrivilegeSet => {
+                RootProp::CurrentUserPrivilegeSet(self.get_user_privileges(user)?)
+            }
        })
    }

@@ -68,6 +75,10 @@ impl Resource for RootResource {
    fn resource_name() -> &'static str {
        "caldav_root"
    }
+
+    fn get_user_privileges(&self, _user: &User) -> Result<UserPrivilegeSet, Self::Error> {
+        Ok(UserPrivilegeSet::all())
+    }
 }

 pub struct RootResourceService;
@@ -86,8 +97,8 @@ impl ResourceService for RootResourceService {
        Ok(Self)
    }

-    async fn get_resource(&self, user: User) -> Result<Self::Resource, Self::Error> {
-        Ok(RootResource { principal: user.id })
+    async fn get_resource(&self) -> Result<Self::Resource, Self::Error> {
+        Ok(RootResource)
    }

    async fn save_resource(&self, _file: Self::Resource) -> Result<(), Self::Error> {
--- a/crates/carddav/src/address_object/resource.rs
+++ b/crates/carddav/src/address_object/resource.rs
@@ -1,8 +1,12 @@
-use crate::Error;
+use crate::{principal::PrincipalResource, Error};
 use actix_web::{dev::ResourceMap, web::Data, HttpRequest};
 use async_trait::async_trait;
 use derive_more::derive::{From, Into};
-use rustical_dav::resource::{InvalidProperty, Resource, ResourceService};
+use rustical_dav::{
+    privileges::UserPrivilegeSet,
+    resource::{InvalidProperty, Resource, ResourceService},
+    xml::HrefElement,
+};
 use rustical_store::{auth::User, AddressObject, AddressbookStore};
 use serde::{Deserialize, Serialize};
 use std::sync::Arc;
@@ -24,6 +28,9 @@ pub enum AddressObjectPropName {
    Getetag,
    AddressData,
    Getcontenttype,
+    CurrentUserPrincipal,
+    Owner,
+    CurrentUserPrivilegeSet,
 }

 #[derive(Deserialize, Serialize, Debug, Clone)]
@@ -33,6 +40,13 @@ pub enum AddressObjectProp {
    Getetag(String),
    Getcontenttype(String),

+    // WebDAV Current Principal Extension (RFC 5397)
+    CurrentUserPrincipal(HrefElement),
+
+    // WebDAV Access Control (RFC 3744)
+    Owner(HrefElement),
+    CurrentUserPrivilegeSet(UserPrivilegeSet),
+
    // CalDAV (RFC 4791)
    #[serde(rename = "CARD:address-data")]
    AddressData(String),
@@ -47,7 +61,10 @@ impl InvalidProperty for AddressObjectProp {
 }

 #[derive(Clone, From, Into)]
-pub struct AddressObjectResource(AddressObject);
+pub struct AddressObjectResource {
+    pub object: AddressObject,
+    pub principal: String,
+}

 impl Resource for AddressObjectResource {
    type PropName = AddressObjectPropName;
@@ -56,17 +73,27 @@ impl Resource for AddressObjectResource {

    fn get_prop(
        &self,
-        _rmap: &ResourceMap,
+        rmap: &ResourceMap,
+        user: &User,
        prop: Self::PropName,
    ) -> Result<Self::Prop, Self::Error> {
        Ok(match prop {
-            AddressObjectPropName::Getetag => AddressObjectProp::Getetag(self.0.get_etag()),
+            AddressObjectPropName::Getetag => AddressObjectProp::Getetag(self.object.get_etag()),
            AddressObjectPropName::AddressData => {
-                AddressObjectProp::AddressData(self.0.get_vcf().to_owned())
+                AddressObjectProp::AddressData(self.object.get_vcf().to_owned())
            }
            AddressObjectPropName::Getcontenttype => {
                AddressObjectProp::Getcontenttype("text/vcard;charset=utf-8".to_owned())
            }
+            AddressObjectPropName::CurrentUserPrincipal => AddressObjectProp::CurrentUserPrincipal(
+                HrefElement::new(PrincipalResource::get_principal_url(rmap, &user.id)),
+            ),
+            AddressObjectPropName::Owner => AddressObjectProp::Owner(
+                PrincipalResource::get_principal_url(rmap, &self.principal).into(),
+            ),
+            AddressObjectPropName::CurrentUserPrivilegeSet => {
+                AddressObjectProp::CurrentUserPrivilegeSet(UserPrivilegeSet::all())
+            }
        })
    }

@@ -74,6 +101,10 @@ impl Resource for AddressObjectResource {
    fn resource_name() -> &'static str {
        "carddav_address_object"
    }
+
+    fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
+        Ok(UserPrivilegeSet::owner_only(self.principal == user.id))
+    }
 }

 #[derive(Debug, Clone)]
@@ -133,15 +164,15 @@ impl<AS: AddressbookStore + ?Sized> ResourceService for AddressObjectResourceSer
        })
    }

-    async fn get_resource(&self, user: User) -> Result<Self::Resource, Self::Error> {
-        if self.principal != user.id {
-            return Err(Error::Unauthorized);
-        }
-        let event = self
+    async fn get_resource(&self) -> Result<Self::Resource, Self::Error> {
+        let object = self
            .addr_store
            .get_object(&self.principal, &self.cal_id, &self.object_id)
            .await?;
-        Ok(event.into())
+        Ok(AddressObjectResource {
+            object,
+            principal: self.principal.to_owned(),
+        })
    }

    async fn save_resource(&self, _file: Self::Resource) -> Result<(), Self::Error> {
--- a/crates/carddav/src/addressbook/methods/report/addressbook_multiget.rs
+++ b/crates/carddav/src/addressbook/methods/report/addressbook_multiget.rs
@@ -16,7 +16,7 @@ use rustical_dav::{
        MultistatusElement,
    },
 };
-use rustical_store::{AddressObject, AddressbookStore};
+use rustical_store::{auth::User, AddressObject, AddressbookStore};
 use serde::Deserialize;

 #[derive(Deserialize, Clone, Debug)]
@@ -64,6 +64,7 @@ pub async fn get_objects_addressbook_multiget<AS: AddressbookStore + ?Sized>(
 pub async fn handle_addressbook_multiget<AS: AddressbookStore + ?Sized>(
    addr_multiget: AddressbookMultigetRequest,
    req: HttpRequest,
+    user: &User,
    principal: &str,
    cal_id: &str,
    addr_store: &AS,
@@ -92,11 +93,13 @@ pub async fn handle_addressbook_multiget<AS: AddressbookStore + ?Sized>(
    let mut responses = Vec::new();
    for object in objects {
        let path = format!("{}/{}", req.path(), object.get_id());
-        responses.push(AddressObjectResource::from(object).propfind(
-            &path,
-            props.clone(),
-            req.resource_map(),
-        )?);
+        responses.push(
+            AddressObjectResource {
+                object,
+                principal: principal.to_owned(),
+            }
+            .propfind(&path, props.clone(), user, req.resource_map())?,
+        );
    }

    let not_found_responses = not_found
--- a/crates/carddav/src/addressbook/methods/report/mod.rs
+++ b/crates/carddav/src/addressbook/methods/report/mod.rs
@@ -47,6 +47,7 @@ pub async fn route_report_addressbook<AS: AddressbookStore + ?Sized>(
            handle_addressbook_multiget(
                addr_multiget,
                req,
+                &user,
                &principal,
                &addressbook_id,
                addr_store.as_ref(),
@@ -57,6 +58,7 @@ pub async fn route_report_addressbook<AS: AddressbookStore + ?Sized>(
            handle_sync_collection(
                sync_collection,
                req,
+                &user,
                &principal,
                &addressbook_id,
                addr_store.as_ref(),
--- a/crates/carddav/src/addressbook/methods/report/sync_collection.rs
+++ b/crates/carddav/src/addressbook/methods/report/sync_collection.rs
@@ -12,6 +12,7 @@ use rustical_dav::{
    },
 };
 use rustical_store::{
+    auth::User,
    synctoken::{format_synctoken, parse_synctoken},
    AddressbookStore,
 };
@@ -42,6 +43,7 @@ pub struct SyncCollectionRequest {
 pub async fn handle_sync_collection<AS: AddressbookStore + ?Sized>(
    sync_collection: SyncCollectionRequest,
    req: HttpRequest,
+    user: &User,
    principal: &str,
    addressbook_id: &str,
    addr_store: &AS,
@@ -69,11 +71,13 @@ pub async fn handle_sync_collection<AS: AddressbookStore + ?Sized>(
            vec![principal, addressbook_id, &object.get_id()],
        )
        .unwrap();
-        responses.push(AddressObjectResource::from(object).propfind(
-            &path,
-            props.clone(),
-            req.resource_map(),
-        )?);
+        responses.push(
+            AddressObjectResource {
+                object,
+                principal: principal.to_owned(),
+            }
+            .propfind(&path, props.clone(), user, req.resource_map())?,
+        );
    }

    for object_id in deleted_objects {
--- a/crates/carddav/src/addressbook/prop.rs
+++ b/crates/carddav/src/addressbook/prop.rs
@@ -41,55 +41,6 @@ pub struct Resourcetype {
    collection: (),
 }

-#[derive(Debug, Clone, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub enum UserPrivilege {
-    Read,
-    ReadAcl,
-    Write,
-    WriteAcl,
-    WriteContent,
-    ReadCurrentUserPrivilegeSet,
-    Bind,
-    Unbind,
-}
-
-#[derive(Debug, Clone, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct UserPrivilegeWrapper {
-    #[serde(rename = "$value")]
-    privilege: UserPrivilege,
-}
-
-impl From<UserPrivilege> for UserPrivilegeWrapper {
-    fn from(value: UserPrivilege) -> Self {
-        Self { privilege: value }
-    }
-}
-
-#[derive(Debug, Clone, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct UserPrivilegeSet {
-    privilege: Vec<UserPrivilegeWrapper>,
-}
-
-impl Default for UserPrivilegeSet {
-    fn default() -> Self {
-        Self {
-            privilege: vec![
-                UserPrivilege::Read.into(),
-                UserPrivilege::ReadAcl.into(),
-                UserPrivilege::Write.into(),
-                UserPrivilege::WriteAcl.into(),
-                UserPrivilege::WriteContent.into(),
-                UserPrivilege::ReadCurrentUserPrivilegeSet.into(),
-                UserPrivilege::Bind.into(),
-                UserPrivilege::Unbind.into(),
-            ],
-        }
-    }
-}
-
 #[derive(Debug, Clone, Deserialize, Serialize)]
 #[serde(rename_all = "kebab-case")]
 pub enum ReportMethod {
--- a/crates/carddav/src/addressbook/resource.rs
+++ b/crates/carddav/src/addressbook/resource.rs
@@ -1,6 +1,6 @@
 use super::methods::mkcol::route_mkcol;
 use super::methods::report::route_report_addressbook;
-use super::prop::{Resourcetype, SupportedAddressData, SupportedReportSet, UserPrivilegeSet};
+use super::prop::{Resourcetype, SupportedAddressData, SupportedReportSet};
 use crate::address_object::resource::AddressObjectResource;
 use crate::principal::PrincipalResource;
 use crate::Error;
@@ -10,6 +10,7 @@ use actix_web::web;
 use actix_web::{web::Data, HttpRequest};
 use async_trait::async_trait;
 use derive_more::derive::{From, Into};
+use rustical_dav::privileges::UserPrivilegeSet;
 use rustical_dav::resource::{InvalidProperty, Resource, ResourceService};
 use rustical_dav::xml::HrefElement;
 use rustical_store::auth::User;
@@ -99,6 +100,7 @@ impl Resource for AddressbookResource {
    fn get_prop(
        &self,
        rmap: &ResourceMap,
+        user: &User,
        prop: Self::PropName,
    ) -> Result<Self::Prop, Self::Error> {
        Ok(match prop {
@@ -107,12 +109,15 @@ impl Resource for AddressbookResource {
            }
            AddressbookPropName::CurrentUserPrincipal => {
                AddressbookProp::CurrentUserPrincipal(HrefElement::new(
-                    PrincipalResource::get_url(rmap, vec![&self.0.principal]).unwrap(),
+                    PrincipalResource::get_principal_url(rmap, &self.0.principal),
                ))
            }
-            AddressbookPropName::Owner => AddressbookProp::Owner(HrefElement::new(
-                PrincipalResource::get_url(rmap, vec![&self.0.principal]).unwrap(),
-            )),
+            AddressbookPropName::Owner => AddressbookProp::Owner(
+                PrincipalResource::get_principal_url(rmap, &self.0.principal).into(),
+            ),
+            AddressbookPropName::CurrentUserPrivilegeSet => {
+                AddressbookProp::CurrentUserPrivilegeSet(UserPrivilegeSet::all())
+            }
            AddressbookPropName::Displayname => {
                AddressbookProp::Displayname(self.0.displayname.clone())
            }
@@ -120,9 +125,6 @@ impl Resource for AddressbookResource {
                AddressbookProp::Getcontenttype("text/vcard;charset=utf-8".to_owned())
            }
            AddressbookPropName::MaxResourceSize => AddressbookProp::MaxResourceSize(10000000),
-            AddressbookPropName::CurrentUserPrivilegeSet => {
-                AddressbookProp::CurrentUserPrivilegeSet(UserPrivilegeSet::default())
-            }
            AddressbookPropName::SupportedReportSet => {
                AddressbookProp::SupportedReportSet(SupportedReportSet::default())
            }
@@ -188,6 +190,10 @@ impl Resource for AddressbookResource {
    fn resource_name() -> &'static str {
        "carddav_addressbook"
    }
+
+    fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
+        Ok(UserPrivilegeSet::owner_only(self.0.principal == user.id))
+    }
 }

 #[async_trait(?Send)]
@@ -197,10 +203,7 @@ impl<AS: AddressbookStore + ?Sized> ResourceService for AddressbookResourceServi
    type Resource = AddressbookResource;
    type Error = Error;

-    async fn get_resource(&self, user: User) -> Result<Self::Resource, Error> {
-        if self.principal != user.id {
-            return Err(Error::Unauthorized);
-        }
+    async fn get_resource(&self) -> Result<Self::Resource, Error> {
        let addressbook = self
            .addr_store
            .get_addressbook(&self.principal, &self.addressbook_id)
@@ -225,7 +228,10 @@ impl<AS: AddressbookStore + ?Sized> ResourceService for AddressbookResourceServi
                        vec![&self.principal, &self.addressbook_id, object.get_id()],
                    )
                    .unwrap(),
-                    object.into(),
+                    AddressObjectResource {
+                        object,
+                        principal: self.principal.to_owned(),
+                    },
                )
            })
            .collect())
--- a/crates/carddav/src/principal/mod.rs
+++ b/crates/carddav/src/principal/mod.rs
@@ -4,6 +4,7 @@ use actix_web::dev::ResourceMap;
 use actix_web::web::Data;
 use actix_web::HttpRequest;
 use async_trait::async_trait;
+use rustical_dav::privileges::UserPrivilegeSet;
 use rustical_dav::resource::{InvalidProperty, Resource, ResourceService};
 use rustical_dav::xml::HrefElement;
 use rustical_store::auth::User;
@@ -68,6 +69,12 @@ pub enum PrincipalPropName {
    PrincipalAddress,
 }

+impl PrincipalResource {
+    pub fn get_principal_url(rmap: &ResourceMap, principal: &str) -> String {
+        Self::get_url(rmap, vec![principal]).unwrap()
+    }
+}
+
 impl Resource for PrincipalResource {
    type PropName = PrincipalPropName;
    type Prop = PrincipalProp;
@@ -76,9 +83,10 @@ impl Resource for PrincipalResource {
    fn get_prop(
        &self,
        rmap: &ResourceMap,
+        user: &User,
        prop: Self::PropName,
    ) -> Result<Self::Prop, Self::Error> {
-        let principal_href = HrefElement::new(Self::get_url(rmap, vec![&self.principal]).unwrap());
+        let principal_href = HrefElement::new(Self::get_principal_url(rmap, &self.principal));

        Ok(match prop {
            PrincipalPropName::Resourcetype => PrincipalProp::Resourcetype(Resourcetype::default()),
@@ -97,6 +105,10 @@ impl Resource for PrincipalResource {
    fn resource_name() -> &'static str {
        "carddav_principal"
    }
+
+    fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
+        Ok(UserPrivilegeSet::owner_only(self.principal == user.id))
+    }
 }

 #[async_trait(?Send)]
@@ -122,10 +134,7 @@ impl<A: AddressbookStore + ?Sized> ResourceService for PrincipalResourceService<
        })
    }

-    async fn get_resource(&self, user: User) -> Result<Self::Resource, Self::Error> {
-        if self.principal != user.id {
-            return Err(Error::Unauthorized);
-        }
+    async fn get_resource(&self) -> Result<Self::Resource, Self::Error> {
        Ok(PrincipalResource {
            principal: self.principal.to_owned(),
        })
--- a/crates/carddav/src/root/mod.rs
+++ b/crates/carddav/src/root/mod.rs
@@ -3,6 +3,7 @@ use crate::Error;
 use actix_web::dev::ResourceMap;
 use actix_web::HttpRequest;
 use async_trait::async_trait;
+use rustical_dav::privileges::UserPrivilegeSet;
 use rustical_dav::resource::{InvalidProperty, Resource, ResourceService};
 use rustical_dav::xml::HrefElement;
 use rustical_store::auth::User;
@@ -13,8 +14,8 @@ use strum::{EnumString, VariantNames};
 #[strum(serialize_all = "kebab-case")]
 pub enum RootPropName {
    Resourcetype,
-    // Defined by RFC 5397
    CurrentUserPrincipal,
+    CurrentUserPrivilegeSet,
 }

 #[derive(Deserialize, Serialize, Default, Debug)]
@@ -31,7 +32,11 @@ pub enum RootProp {

    // WebDAV Current Principal Extension (RFC 5397)
    CurrentUserPrincipal(HrefElement),
-    #[serde(other)]
+
+    // WebDAV Access Control Protocol (RFC 3477)
+    CurrentUserPrivilegeSet(UserPrivilegeSet),
+
+    #[serde(untagged)]
    Invalid,
 }

@@ -42,9 +47,7 @@ impl InvalidProperty for RootProp {
 }

 #[derive(Clone)]
-pub struct RootResource {
-    principal: String,
-}
+pub struct RootResource;

 impl Resource for RootResource {
    type PropName = RootPropName;
@@ -54,13 +57,17 @@ impl Resource for RootResource {
    fn get_prop(
        &self,
        rmap: &ResourceMap,
+        user: &User,
        prop: Self::PropName,
    ) -> Result<Self::Prop, Self::Error> {
        Ok(match prop {
            RootPropName::Resourcetype => RootProp::Resourcetype(Resourcetype::default()),
-            RootPropName::CurrentUserPrincipal => RootProp::CurrentUserPrincipal(HrefElement::new(
-                PrincipalResource::get_url(rmap, vec![&self.principal]).unwrap(),
-            )),
+            RootPropName::CurrentUserPrincipal => RootProp::CurrentUserPrincipal(
+                PrincipalResource::get_principal_url(rmap, &user.id).into(),
+            ),
+            RootPropName::CurrentUserPrivilegeSet => {
+                RootProp::CurrentUserPrivilegeSet(self.get_user_privileges(user)?)
+            }
        })
    }

@@ -68,6 +75,10 @@ impl Resource for RootResource {
    fn resource_name() -> &'static str {
        "carddav_root"
    }
+
+    fn get_user_privileges(&self, _user: &User) -> Result<UserPrivilegeSet, Self::Error> {
+        Ok(UserPrivilegeSet::all())
+    }
 }

 pub struct RootResourceService;
@@ -86,8 +97,8 @@ impl ResourceService for RootResourceService {
        Ok(Self)
    }

-    async fn get_resource(&self, user: User) -> Result<Self::Resource, Self::Error> {
-        Ok(RootResource { principal: user.id })
+    async fn get_resource(&self) -> Result<Self::Resource, Self::Error> {
+        Ok(RootResource)
    }

    async fn save_resource(&self, _file: Self::Resource) -> Result<(), Self::Error> {
--- a/crates/dav/src/lib.rs
+++ b/crates/dav/src/lib.rs
@@ -2,6 +2,7 @@ pub mod depth_header;
 pub mod error;
 pub mod methods;
 pub mod namespace;
+pub mod privileges;
 pub mod resource;
 pub mod xml;

--- a/crates/dav/src/methods/delete.rs
+++ b/crates/dav/src/methods/delete.rs
@@ -1,4 +1,7 @@
+use crate::privileges::UserPrivilege;
+use crate::resource::Resource;
 use crate::resource::ResourceService;
+use crate::Error;
 use actix_web::web::Path;
 use actix_web::HttpRequest;
 use actix_web::HttpResponse;
@@ -8,7 +11,7 @@ use rustical_store::auth::User;
 pub async fn route_delete<R: ResourceService>(
    path_components: Path<R::PathComponents>,
    req: HttpRequest,
-    _user: User,
+    user: User,
 ) -> Result<impl Responder, R::Error> {
    let path_components = path_components.into_inner();

@@ -19,6 +22,13 @@ pub async fn route_delete<R: ResourceService>(
        .unwrap_or(false);

    let resource_service = R::new(&req, path_components.clone()).await?;
+    let resource = resource_service.get_resource().await?;
+    let privileges = resource.get_user_privileges(&user)?;
+    if !privileges.has(&UserPrivilege::Write) {
+        // TODO: Actually the spec wants us to look whether we have unbind access in the parent
+        // collection
+        return Err(Error::Unauthorized.into());
+    }
    resource_service.delete_resource(!no_trash).await?;

    Ok(HttpResponse::Ok().body(""))
--- a/crates/dav/src/methods/propfind.rs
+++ b/crates/dav/src/methods/propfind.rs
@@ -1,4 +1,5 @@
 use crate::depth_header::Depth;
+use crate::privileges::UserPrivilege;
 use crate::resource::Resource;
 use crate::resource::ResourceService;
 use crate::xml::multistatus::PropstatWrapper;
@@ -52,6 +53,12 @@ pub async fn route_propfind<R: ResourceService>(
 > {
    let resource_service = R::new(&req, path_components.into_inner()).await?;

+    let resource = resource_service.get_resource().await?;
+    let privileges = resource.get_user_privileges(&user)?;
+    if !privileges.has(&UserPrivilege::Read) {
+        return Err(Error::Unauthorized.into());
+    }
+
    // A request body is optional. If empty we MUST return all props
    let propfind: PropfindElement = if !body.is_empty() {
        quick_xml::de::from_str(&body).map_err(Error::XmlDeserializationError)?
@@ -75,12 +82,16 @@ pub async fn route_propfind<R: ResourceService>(
    let mut member_responses = Vec::new();
    if depth != Depth::Zero {
        for (path, member) in resource_service.get_members(req.resource_map()).await? {
-            member_responses.push(member.propfind(&path, props.clone(), req.resource_map())?);
+            member_responses.push(member.propfind(
+                &path,
+                props.clone(),
+                &user,
+                req.resource_map(),
+            )?);
        }
    }

-    let resource = resource_service.get_resource(user).await?;
-    let response = resource.propfind(req.path(), props, req.resource_map())?;
+    let response = resource.propfind(req.path(), props, &user, req.resource_map())?;

    Ok(MultistatusElement {
        responses: vec![response],
--- a/crates/dav/src/methods/proppatch.rs
+++ b/crates/dav/src/methods/proppatch.rs
@@ -1,3 +1,4 @@
+use crate::privileges::UserPrivilege;
 use crate::resource::InvalidProperty;
 use crate::resource::Resource;
 use crate::resource::ResourceService;
@@ -76,7 +77,11 @@ pub async fn route_proppatch<R: ResourceService>(
        })
        .collect();

-    let mut resource = resource_service.get_resource(user).await?;
+    let mut resource = resource_service.get_resource().await?;
+    let privileges = resource.get_user_privileges(&user)?;
+    if !privileges.has(&UserPrivilege::Write) {
+        return Err(Error::Unauthorized.into());
+    }

    let mut props_ok = Vec::new();
    let mut props_conflict = Vec::new();
--- a/crates/dav/src/privileges.rs
+++ b/crates/dav/src/privileges.rs
@@ -0,0 +1,78 @@
+use serde::{Deserialize, Serialize};
+use std::collections::HashSet;
+
+#[derive(Debug, Clone, Serialize, Deserialize, Eq, Hash, PartialEq)]
+#[serde(rename_all = "kebab-case")]
+pub enum UserPrivilege {
+    Read,
+    Write,
+    WriteProperties,
+    WriteContent,
+    ReadAcl,
+    ReadCurrentUserPrivilegeSet,
+    WriteAcl,
+    All,
+}
+
+impl Serialize for UserPrivilegeSet {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: serde::Serializer,
+    {
+        #[derive(Serialize)]
+        #[serde(rename_all = "kebab-case")]
+        pub struct UserPrivilegeWrapper<'a> {
+            #[serde(rename = "$value")]
+            privilege: &'a UserPrivilege,
+        }
+        #[derive(Serialize)]
+        #[serde(rename_all = "kebab-case")]
+        pub struct FakeUserPrivilegeSet<'a> {
+            #[serde(rename = "privilege")]
+            privileges: Vec<UserPrivilegeWrapper<'a>>,
+        }
+        FakeUserPrivilegeSet {
+            privileges: self
+                .privileges
+                .iter()
+                .map(|privilege| UserPrivilegeWrapper { privilege })
+                .collect(),
+        }
+        .serialize(serializer)
+    }
+}
+
+// TODO: implement Deserialize once we need it
+#[derive(Debug, Clone, Deserialize, Default)]
+#[serde(rename_all = "kebab-case")]
+pub struct UserPrivilegeSet {
+    privileges: HashSet<UserPrivilege>,
+}
+
+impl UserPrivilegeSet {
+    pub fn has(&self, privilege: &UserPrivilege) -> bool {
+        self.privileges.contains(privilege) || self.privileges.contains(&UserPrivilege::All)
+    }
+
+    pub fn all() -> Self {
+        Self {
+            privileges: HashSet::from([UserPrivilege::All]),
+        }
+    }
+
+    pub fn owner_only(is_owner: bool) -> Self {
+        if is_owner {
+            Self::all()
+        } else {
+            Self::default()
+        }
+    }
+}
+
+impl<const N: usize> From<[UserPrivilege; N]> for UserPrivilegeSet {
+    fn from(privileges: [UserPrivilege; N]) -> Self {
+        Self {
+            privileges: HashSet::from(privileges),
+        }
+    }
+}
--- a/crates/dav/src/resource.rs
+++ b/crates/dav/src/resource.rs
@@ -1,4 +1,5 @@
 use crate::methods::{route_delete, route_propfind, route_proppatch};
+use crate::privileges::UserPrivilegeSet;
 use crate::xml::multistatus::{PropTagWrapper, PropstatElement, PropstatWrapper};
 use crate::xml::{multistatus::ResponseElement, TagList};
 use crate::Error;
@@ -25,8 +26,12 @@ pub trait Resource: Clone {
        Self::PropName::VARIANTS
    }

-    fn get_prop(&self, rmap: &ResourceMap, prop: Self::PropName)
-        -> Result<Self::Prop, Self::Error>;
+    fn get_prop(
+        &self,
+        rmap: &ResourceMap,
+        user: &User,
+        prop: Self::PropName,
+    ) -> Result<Self::Prop, Self::Error>;

    fn set_prop(&mut self, _prop: Self::Prop) -> Result<(), crate::Error> {
        Err(crate::Error::PropReadOnly)
@@ -53,10 +58,13 @@ pub trait Resource: Clone {
            .to_owned())
    }

+    fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error>;
+
    fn propfind(
        &self,
        path: &str,
        mut props: Vec<&str>,
+        user: &User,
        rmap: &ResourceMap,
    ) -> Result<ResponseElement<PropstatWrapper<Self::Prop>>, Self::Error> {
        if props.contains(&"propname") {
@@ -104,7 +112,7 @@ pub trait Resource: Clone {

        let prop_responses = valid_props
            .into_iter()
-            .map(|prop| self.get_prop(rmap, prop))
+            .map(|prop| self.get_prop(rmap, user, prop))
            .collect::<Result<Vec<Self::Prop>, Self::Error>>()?;

        let mut propstats = vec![PropstatWrapper::Normal(PropstatElement {
@@ -154,7 +162,7 @@ pub trait ResourceService: Sized + 'static {
        Ok(vec![])
    }

-    async fn get_resource(&self, user: User) -> Result<Self::Resource, Self::Error>;
+    async fn get_resource(&self) -> Result<Self::Resource, Self::Error>;
    async fn save_resource(&self, file: Self::Resource) -> Result<(), Self::Error>;
    async fn delete_resource(&self, _use_trashbin: bool) -> Result<(), Self::Error> {
        Err(crate::Error::Unauthorized.into())
--- a/crates/dav/src/xml/mod.rs
+++ b/crates/dav/src/xml/mod.rs
@@ -2,13 +2,14 @@ pub mod multistatus;
 pub mod tag_list;
 pub mod tag_name;

+use derive_more::derive::From;
 pub use multistatus::MultistatusElement;
 pub use tag_list::TagList;
 pub use tag_name::TagName;

 use serde::{Deserialize, Serialize};

-#[derive(Debug, Clone, Deserialize, Serialize)]
+#[derive(Debug, Clone, Deserialize, Serialize, From)]
 pub struct HrefElement {
    pub href: String,
 }