Ensure all routes check for authorization

crates/caldav/src/calendar/methods/post.rs

@@ -1,8 +1,11 @@
+use crate::calendar::resource::CalendarResource;
 use crate::Error;
 use actix_web::http::header;
 use actix_web::web::{Data, Path};
 use actix_web::{HttpRequest, HttpResponse};
+use rustical_dav::privileges::UserPrivilege;
 use rustical_dav::push::PushRegister;
+use rustical_dav::resource::Resource;
 use rustical_store::auth::User;
 use rustical_store::{CalendarStore, Subscription, SubscriptionStore};
 use rustical_xml::XmlDocument;
@@ -25,6 +28,18 @@ pub async fn route_post<C: CalendarStore, S: SubscriptionStore>(
     }
 
     let calendar = store.get_calendar(&principal, &cal_id).await?;
+    let calendar_resource = CalendarResource {
+        cal: calendar,
+        read_only: true,
+    };
+
+    if !calendar_resource
+        .get_user_privileges(&user)?
+        .has(&UserPrivilege::Read)
+    {
+        return Err(Error::Unauthorized);
+    }
+
     let request = PushRegister::parse_str(&body)?;
     let sub_id = uuid::Uuid::new_v4().to_string();
 
@@ -42,7 +57,7 @@ pub async fn route_post<C: CalendarStore, S: SubscriptionStore>(
             .web_push_subscription
             .push_resource
             .to_owned(),
-        topic: calendar.push_topic,
+        topic: calendar_resource.cal.push_topic,
         expiration: expires.naive_local(),
     };
     subscription_store.upsert_subscription(subscription).await?;

crates/caldav/src/calendar/resource.rs

@@ -283,7 +283,7 @@ impl Resource for CalendarResource {
 
     fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
         if self.cal.subscription_url.is_some() || self.read_only {
-            return Ok(UserPrivilegeSet::read_only());
+            return Ok(UserPrivilegeSet::owner_read(self.cal.principal == user.id));
         }
 
         Ok(UserPrivilegeSet::owner_only(self.cal.principal == user.id))