nikdoof/rustical
1
1
Fork 0
mirror of https://github.com/lennart-k/rustical.git synced 2025-12-14 09:22:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ensure all routes check for authorization

Browse Source
This commit is contained in:
Lennart
2025-01-19 00:20:16 +01:00
parent 130f754cdd
commit 6485b89c73
9 changed files with 59 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
crates/carddav/src/address_object/methods.rs
View File

@@ -1,10 +1,13 @@
use super::resource::AddressObjectPathComponents;
use crate::addressbook::resource::AddressbookResource;
use crate::Error;
use actix_web::http::header;
use actix_web::http::header::HeaderValue;
use actix_web::web::{Data, Path};
use actix_web::HttpRequest;
use actix_web::HttpResponse;
use rustical_dav::privileges::UserPrivilege;
use rustical_dav::resource::Resource;
use rustical_store::auth::User;
use rustical_store::{AddressObject, AddressbookStore};
use tracing::instrument;
@@ -28,8 +31,12 @@ pub async fn get_object<AS: AddressbookStore>(
}
let addressbook = store.get_addressbook(&principal, &addressbook_id).await?;
if user.id != addressbook.principal {
return Ok(HttpResponse::Unauthorized().body(""));
let addressbook_resource = AddressbookResource(addressbook);
if !addressbook_resource
.get_user_privileges(&user)?
.has(&UserPrivilege::Read)
{
return Err(Error::Unauthorized);
}
let object = store