Improvement to access control

2025-12-15 02:42:30 +00:00 · 2024-10-31 21:18:41 +01:00
parent c484a17911
commit 0c14f8ba90
24 changed files with 394 additions and 215 deletions
--- a/crates/caldav/src/calendar/methods/report/calendar_multiget.rs
+++ b/crates/caldav/src/calendar/methods/report/calendar_multiget.rs
@@ -16,7 +16,7 @@ use rustical_dav::{
        MultistatusElement,
    },
 };
-use rustical_store::{CalendarObject, CalendarStore};
+use rustical_store::{auth::User, CalendarObject, CalendarStore};
 use serde::Deserialize;

 #[derive(Deserialize, Clone, Debug)]
@@ -65,6 +65,7 @@ pub async fn get_objects_calendar_multiget<C: CalendarStore + ?Sized>(
 pub async fn handle_calendar_multiget<C: CalendarStore + ?Sized>(
    cal_multiget: CalendarMultigetRequest,
    req: HttpRequest,
+    user: &User,
    principal: &str,
    cal_id: &str,
    cal_store: &C,
@@ -88,11 +89,13 @@ pub async fn handle_calendar_multiget<C: CalendarStore + ?Sized>(
    let mut responses = Vec::new();
    for object in objects {
        let path = format!("{}/{}", req.path(), object.get_id());
-        responses.push(CalendarObjectResource::from(object).propfind(
-            &path,
-            props.clone(),
-            req.resource_map(),
-        )?);
+        responses.push(
+            CalendarObjectResource {
+                object,
+                principal: principal.to_owned(),
+            }
+            .propfind(&path, props.clone(), user, req.resource_map())?,
+        );
    }

    let not_found_responses = not_found
--- a/crates/caldav/src/calendar/methods/report/calendar_query.rs
+++ b/crates/caldav/src/calendar/methods/report/calendar_query.rs
@@ -5,7 +5,7 @@ use rustical_dav::{
    resource::Resource,
    xml::{multistatus::PropstatWrapper, MultistatusElement},
 };
-use rustical_store::{CalendarObject, CalendarStore};
+use rustical_store::{auth::User, CalendarObject, CalendarStore};
 use serde::Deserialize;

 use crate::{
@@ -206,6 +206,7 @@ pub async fn get_objects_calendar_query<C: CalendarStore + ?Sized>(
 pub async fn handle_calendar_query<C: CalendarStore + ?Sized>(
    cal_query: CalendarQueryRequest,
    req: HttpRequest,
+    user: &User,
    principal: &str,
    cal_id: &str,
    cal_store: &C,
@@ -230,11 +231,13 @@ pub async fn handle_calendar_query<C: CalendarStore + ?Sized>(
            vec![principal, cal_id, object.get_id()],
        )
        .unwrap();
-        responses.push(CalendarObjectResource::from(object).propfind(
-            &path,
-            props.clone(),
-            req.resource_map(),
-        )?);
+        responses.push(
+            CalendarObjectResource {
+                object,
+                principal: principal.to_owned(),
+            }
+            .propfind(&path, props.clone(), user, req.resource_map())?,
+        );
    }

    Ok(MultistatusElement {
--- a/crates/caldav/src/calendar/methods/report/mod.rs
+++ b/crates/caldav/src/calendar/methods/report/mod.rs
@@ -47,16 +47,32 @@ pub async fn route_report_calendar<C: CalendarStore + ?Sized>(

    Ok(match request.clone() {
        ReportRequest::CalendarQuery(cal_query) => {
-            handle_calendar_query(cal_query, req, &principal, &cal_id, cal_store.as_ref()).await?
+            handle_calendar_query(
+                cal_query,
+                req,
+                &user,
+                &principal,
+                &cal_id,
+                cal_store.as_ref(),
+            )
+            .await?
        }
        ReportRequest::CalendarMultiget(cal_multiget) => {
-            handle_calendar_multiget(cal_multiget, req, &principal, &cal_id, cal_store.as_ref())
-                .await?
+            handle_calendar_multiget(
+                cal_multiget,
+                req,
+                &user,
+                &principal,
+                &cal_id,
+                cal_store.as_ref(),
+            )
+            .await?
        }
        ReportRequest::SyncCollection(sync_collection) => {
            handle_sync_collection(
                sync_collection,
                req,
+                &user,
                &principal,
                &cal_id,
                cal_store.as_ref(),
--- a/crates/caldav/src/calendar/methods/report/sync_collection.rs
+++ b/crates/caldav/src/calendar/methods/report/sync_collection.rs
@@ -8,6 +8,7 @@ use rustical_dav::{
    },
 };
 use rustical_store::{
+    auth::User,
    synctoken::{format_synctoken, parse_synctoken},
    CalendarStore,
 };
@@ -44,6 +45,7 @@ pub struct SyncCollectionRequest {
 pub async fn handle_sync_collection<C: CalendarStore + ?Sized>(
    sync_collection: SyncCollectionRequest,
    req: HttpRequest,
+    user: &User,
    principal: &str,
    cal_id: &str,
    cal_store: &C,
@@ -71,11 +73,13 @@ pub async fn handle_sync_collection<C: CalendarStore + ?Sized>(
            vec![principal, cal_id, &object.get_id()],
        )
        .unwrap();
-        responses.push(CalendarObjectResource::from(object).propfind(
-            &path,
-            props.clone(),
-            req.resource_map(),
-        )?);
+        responses.push(
+            CalendarObjectResource {
+                object,
+                principal: principal.to_owned(),
+            }
+            .propfind(&path, props.clone(), user, req.resource_map())?,
+        );
    }

    for object_id in deleted_objects {
--- a/crates/caldav/src/calendar/prop.rs
+++ b/crates/caldav/src/calendar/prop.rs
@@ -47,55 +47,6 @@ pub struct Resourcetype {
    collection: (),
 }

-#[derive(Debug, Clone, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub enum UserPrivilege {
-    Read,
-    ReadAcl,
-    Write,
-    WriteAcl,
-    WriteContent,
-    ReadCurrentUserPrivilegeSet,
-    Bind,
-    Unbind,
-}
-
-#[derive(Debug, Clone, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct UserPrivilegeWrapper {
-    #[serde(rename = "$value")]
-    privilege: UserPrivilege,
-}
-
-impl From<UserPrivilege> for UserPrivilegeWrapper {
-    fn from(value: UserPrivilege) -> Self {
-        Self { privilege: value }
-    }
-}
-
-#[derive(Debug, Clone, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct UserPrivilegeSet {
-    privilege: Vec<UserPrivilegeWrapper>,
-}
-
-impl Default for UserPrivilegeSet {
-    fn default() -> Self {
-        Self {
-            privilege: vec![
-                UserPrivilege::Read.into(),
-                UserPrivilege::ReadAcl.into(),
-                UserPrivilege::Write.into(),
-                UserPrivilege::WriteAcl.into(),
-                UserPrivilege::WriteContent.into(),
-                UserPrivilege::ReadCurrentUserPrivilegeSet.into(),
-                UserPrivilege::Bind.into(),
-                UserPrivilege::Unbind.into(),
-            ],
-        }
-    }
-}
-
 #[derive(Debug, Clone, Deserialize, Serialize)]
 #[serde(rename_all = "kebab-case")]
 pub enum ReportMethod {
--- a/crates/caldav/src/calendar/resource.rs
+++ b/crates/caldav/src/calendar/resource.rs
@@ -2,7 +2,7 @@ use super::methods::mkcalendar::route_mkcalendar;
 use super::methods::report::route_report_calendar;
 use super::prop::{
    Resourcetype, SupportedCalendarComponent, SupportedCalendarComponentSet, SupportedCalendarData,
-    SupportedReportSet, UserPrivilegeSet,
+    SupportedReportSet,
 };
 use crate::calendar_object::resource::CalendarObjectResource;
 use crate::principal::PrincipalResource;
@@ -13,6 +13,7 @@ use actix_web::web;
 use actix_web::{web::Data, HttpRequest};
 use async_trait::async_trait;
 use derive_more::derive::{From, Into};
+use rustical_dav::privileges::UserPrivilegeSet;
 use rustical_dav::resource::{InvalidProperty, Resource, ResourceService};
 use rustical_dav::xml::HrefElement;
 use rustical_store::auth::User;
@@ -43,7 +44,7 @@ pub enum CalendarPropName {
    SupportedCalendarComponentSet,
    SupportedCalendarData,
    Getcontenttype,
-    CurrentUserPrivilegeSet,
+    // CurrentUserPrivilegeSet,
    MaxResourceSize,
    SupportedReportSet,
    SyncToken,
@@ -63,7 +64,7 @@ pub enum CalendarProp {

    // WebDAV Access Control (RFC 3744)
    Owner(HrefElement),
-    CurrentUserPrivilegeSet(UserPrivilegeSet),
+    // CurrentUserPrivilegeSet(UserPrivilegeSet),

    // CalDAV (RFC 4791)
    #[serde(rename = "IC:calendar-color", alias = "calendar-color")]
@@ -113,6 +114,7 @@ impl Resource for CalendarResource {
    fn get_prop(
        &self,
        rmap: &ResourceMap,
+        user: &User,
        prop: Self::PropName,
    ) -> Result<Self::Prop, Self::Error> {
        Ok(match prop {
@@ -156,9 +158,9 @@ impl Resource for CalendarResource {
                CalendarProp::Getcontenttype("text/calendar;charset=utf-8".to_owned())
            }
            CalendarPropName::MaxResourceSize => CalendarProp::MaxResourceSize(10000000),
-            CalendarPropName::CurrentUserPrivilegeSet => {
-                CalendarProp::CurrentUserPrivilegeSet(UserPrivilegeSet::default())
-            }
+            // CalendarPropName::CurrentUserPrivilegeSet => {
+            //     CalendarProp::CurrentUserPrivilegeSet(user_privileges.to_owned())
+            // }
            CalendarPropName::SupportedReportSet => {
                CalendarProp::SupportedReportSet(SupportedReportSet::default())
            }
@@ -198,7 +200,7 @@ impl Resource for CalendarResource {
            CalendarProp::SupportedCalendarData(_) => Err(rustical_dav::Error::PropReadOnly),
            CalendarProp::Getcontenttype(_) => Err(rustical_dav::Error::PropReadOnly),
            CalendarProp::MaxResourceSize(_) => Err(rustical_dav::Error::PropReadOnly),
-            CalendarProp::CurrentUserPrivilegeSet(_) => Err(rustical_dav::Error::PropReadOnly),
+            // CalendarProp::CurrentUserPrivilegeSet(_) => Err(rustical_dav::Error::PropReadOnly),
            CalendarProp::SupportedReportSet(_) => Err(rustical_dav::Error::PropReadOnly),
            CalendarProp::SyncToken(_) => Err(rustical_dav::Error::PropReadOnly),
            CalendarProp::Getctag(_) => Err(rustical_dav::Error::PropReadOnly),
@@ -237,7 +239,7 @@ impl Resource for CalendarResource {
            CalendarPropName::SupportedCalendarData => Err(rustical_dav::Error::PropReadOnly),
            CalendarPropName::Getcontenttype => Err(rustical_dav::Error::PropReadOnly),
            CalendarPropName::MaxResourceSize => Err(rustical_dav::Error::PropReadOnly),
-            CalendarPropName::CurrentUserPrivilegeSet => Err(rustical_dav::Error::PropReadOnly),
+            // CalendarPropName::CurrentUserPrivilegeSet => Err(rustical_dav::Error::PropReadOnly),
            CalendarPropName::SupportedReportSet => Err(rustical_dav::Error::PropReadOnly),
            CalendarPropName::SyncToken => Err(rustical_dav::Error::PropReadOnly),
            CalendarPropName::Getctag => Err(rustical_dav::Error::PropReadOnly),
@@ -248,6 +250,10 @@ impl Resource for CalendarResource {
    fn resource_name() -> &'static str {
        "caldav_calendar"
    }
+
+    fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
+        Ok(UserPrivilegeSet::owner_only(self.0.principal == user.id))
+    }
 }

 #[async_trait(?Send)]
@@ -257,10 +263,7 @@ impl<C: CalendarStore + ?Sized> ResourceService for CalendarResourceService<C> {
    type Resource = CalendarResource;
    type Error = Error;

-    async fn get_resource(&self, user: User) -> Result<Self::Resource, Error> {
-        if self.principal != user.id {
-            return Err(Error::Unauthorized);
-        }
+    async fn get_resource(&self) -> Result<Self::Resource, Error> {
        let calendar = self
            .cal_store
            .get_calendar(&self.principal, &self.calendar_id)
@@ -285,7 +288,10 @@ impl<C: CalendarStore + ?Sized> ResourceService for CalendarResourceService<C> {
                        vec![&self.principal, &self.calendar_id, object.get_id()],
                    )
                    .unwrap(),
-                    object.into(),
+                    CalendarObjectResource {
+                        object,
+                        principal: self.principal.to_owned(),
+                    },
                )
            })
            .collect())