mirror of
https://github.com/lennart-k/rustical.git
synced 2025-12-13 22:52:22 +00:00
Ensure all routes check for authorization
This commit is contained in:
Lennart
@@ -1,8 +1,11 @@
|
|||||||
|
use crate::calendar::resource::CalendarResource;
|
||||||
use crate::Error;
|
use crate::Error;
|
||||||
use actix_web::http::header;
|
use actix_web::http::header;
|
||||||
use actix_web::web::{Data, Path};
|
use actix_web::web::{Data, Path};
|
||||||
use actix_web::{HttpRequest, HttpResponse};
|
use actix_web::{HttpRequest, HttpResponse};
|
||||||
|
use rustical_dav::privileges::UserPrivilege;
|
||||||
use rustical_dav::push::PushRegister;
|
use rustical_dav::push::PushRegister;
|
||||||
|
use rustical_dav::resource::Resource;
|
||||||
use rustical_store::auth::User;
|
use rustical_store::auth::User;
|
||||||
use rustical_store::{CalendarStore, Subscription, SubscriptionStore};
|
use rustical_store::{CalendarStore, Subscription, SubscriptionStore};
|
||||||
use rustical_xml::XmlDocument;
|
use rustical_xml::XmlDocument;
|
||||||
@@ -25,6 +28,18 @@ pub async fn route_post<C: CalendarStore, S: SubscriptionStore>(
|
|||||||
}
|
}
|
||||||
|
|
||||||
let calendar = store.get_calendar(&principal, &cal_id).await?;
|
let calendar = store.get_calendar(&principal, &cal_id).await?;
|
||||||
|
let calendar_resource = CalendarResource {
|
||||||
|
cal: calendar,
|
||||||
|
read_only: true,
|
||||||
|
};
|
||||||
|
|
||||||
|
if !calendar_resource
|
||||||
|
.get_user_privileges(&user)?
|
||||||
|
.has(&UserPrivilege::Read)
|
||||||
|
{
|
||||||
|
return Err(Error::Unauthorized);
|
||||||
|
}
|
||||||
|
|
||||||
let request = PushRegister::parse_str(&body)?;
|
let request = PushRegister::parse_str(&body)?;
|
||||||
let sub_id = uuid::Uuid::new_v4().to_string();
|
let sub_id = uuid::Uuid::new_v4().to_string();
|
||||||
|
|
||||||
@@ -42,7 +57,7 @@ pub async fn route_post<C: CalendarStore, S: SubscriptionStore>(
|
|||||||
.web_push_subscription
|
.web_push_subscription
|
||||||
.push_resource
|
.push_resource
|
||||||
.to_owned(),
|
.to_owned(),
|
||||||
topic: calendar.push_topic,
|
topic: calendar_resource.cal.push_topic,
|
||||||
expiration: expires.naive_local(),
|
expiration: expires.naive_local(),
|
||||||
};
|
};
|
||||||
subscription_store.upsert_subscription(subscription).await?;
|
subscription_store.upsert_subscription(subscription).await?;
|
||||||
|
|||||||
@@ -283,7 +283,7 @@ impl Resource for CalendarResource {
|
|||||||
|
|
||||||
fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
|
fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
|
||||||
if self.cal.subscription_url.is_some() || self.read_only {
|
if self.cal.subscription_url.is_some() || self.read_only {
|
||||||
return Ok(UserPrivilegeSet::read_only());
|
return Ok(UserPrivilegeSet::owner_read(self.cal.principal == user.id));
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(UserPrivilegeSet::owner_only(self.cal.principal == user.id))
|
Ok(UserPrivilegeSet::owner_only(self.cal.principal == user.id))
|
||||||
|
|||||||
@@ -53,7 +53,7 @@ impl Resource for CalendarSetResource {
|
|||||||
}
|
}
|
||||||
|
|
||||||
fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
|
fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
|
||||||
Ok(UserPrivilegeSet::owner_only(self.principal == user.id))
|
Ok(UserPrivilegeSet::owner_read(self.principal == user.id))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -113,7 +113,7 @@ impl Resource for PrincipalResource {
|
|||||||
}
|
}
|
||||||
|
|
||||||
fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
|
fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
|
||||||
Ok(UserPrivilegeSet::owner_only(self.principal == user.id))
|
Ok(UserPrivilegeSet::owner_read(self.principal == user.id))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,10 +1,13 @@
|
|||||||
use super::resource::AddressObjectPathComponents;
|
use super::resource::AddressObjectPathComponents;
|
||||||
|
use crate::addressbook::resource::AddressbookResource;
|
||||||
use crate::Error;
|
use crate::Error;
|
||||||
use actix_web::http::header;
|
use actix_web::http::header;
|
||||||
use actix_web::http::header::HeaderValue;
|
use actix_web::http::header::HeaderValue;
|
||||||
use actix_web::web::{Data, Path};
|
use actix_web::web::{Data, Path};
|
||||||
use actix_web::HttpRequest;
|
use actix_web::HttpRequest;
|
||||||
use actix_web::HttpResponse;
|
use actix_web::HttpResponse;
|
||||||
|
use rustical_dav::privileges::UserPrivilege;
|
||||||
|
use rustical_dav::resource::Resource;
|
||||||
use rustical_store::auth::User;
|
use rustical_store::auth::User;
|
||||||
use rustical_store::{AddressObject, AddressbookStore};
|
use rustical_store::{AddressObject, AddressbookStore};
|
||||||
use tracing::instrument;
|
use tracing::instrument;
|
||||||
@@ -28,8 +31,12 @@ pub async fn get_object<AS: AddressbookStore>(
|
|||||||
}
|
}
|
||||||
|
|
||||||
let addressbook = store.get_addressbook(&principal, &addressbook_id).await?;
|
let addressbook = store.get_addressbook(&principal, &addressbook_id).await?;
|
||||||
if user.id != addressbook.principal {
|
let addressbook_resource = AddressbookResource(addressbook);
|
||||||
return Ok(HttpResponse::Unauthorized().body(""));
|
if !addressbook_resource
|
||||||
|
.get_user_privileges(&user)?
|
||||||
|
.has(&UserPrivilege::Read)
|
||||||
|
{
|
||||||
|
return Err(Error::Unauthorized);
|
||||||
}
|
}
|
||||||
|
|
||||||
let object = store
|
let object = store
|
||||||
|
|||||||
@@ -66,7 +66,7 @@ pub enum AddressbookPropWrapper {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Clone, Debug, From, Into)]
|
#[derive(Clone, Debug, From, Into)]
|
||||||
pub struct AddressbookResource(Addressbook);
|
pub struct AddressbookResource(pub(crate) Addressbook);
|
||||||
|
|
||||||
impl SyncTokenExtension for AddressbookResource {
|
impl SyncTokenExtension for AddressbookResource {
|
||||||
fn get_synctoken(&self) -> String {
|
fn get_synctoken(&self) -> String {
|
||||||
|
|||||||
@@ -64,6 +64,14 @@ impl UserPrivilegeSet {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn owner_read(is_owner: bool) -> Self {
|
||||||
|
if is_owner {
|
||||||
|
Self::read_only()
|
||||||
|
} else {
|
||||||
|
Self::default()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
pub fn read_only() -> Self {
|
pub fn read_only() -> Self {
|
||||||
Self {
|
Self {
|
||||||
privileges: HashSet::from([
|
privileges: HashSet::from([
|
||||||
|
|||||||
@@ -4,6 +4,7 @@ use actix_web::{
|
|||||||
HttpRequest, HttpResponse, Responder,
|
HttpRequest, HttpResponse, Responder,
|
||||||
};
|
};
|
||||||
use askama::Template;
|
use askama::Template;
|
||||||
|
use askama_actix::TemplateToResponse;
|
||||||
use rustical_store::{auth::User, Addressbook, AddressbookStore};
|
use rustical_store::{auth::User, Addressbook, AddressbookStore};
|
||||||
|
|
||||||
#[derive(Template)]
|
#[derive(Template)]
|
||||||
@@ -15,21 +16,28 @@ struct AddressbookPage {
|
|||||||
pub async fn route_addressbook<AS: AddressbookStore>(
|
pub async fn route_addressbook<AS: AddressbookStore>(
|
||||||
path: Path<(String, String)>,
|
path: Path<(String, String)>,
|
||||||
store: Data<AS>,
|
store: Data<AS>,
|
||||||
_user: User,
|
user: User,
|
||||||
) -> Result<impl Responder, rustical_store::Error> {
|
) -> Result<impl Responder, rustical_store::Error> {
|
||||||
let (owner, addrbook_id) = path.into_inner();
|
let (owner, addrbook_id) = path.into_inner();
|
||||||
|
if owner != user.id {
|
||||||
|
return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
|
||||||
|
}
|
||||||
Ok(AddressbookPage {
|
Ok(AddressbookPage {
|
||||||
addressbook: store.get_addressbook(&owner, &addrbook_id).await?,
|
addressbook: store.get_addressbook(&owner, &addrbook_id).await?,
|
||||||
})
|
}
|
||||||
|
.to_response())
|
||||||
}
|
}
|
||||||
|
|
||||||
pub async fn route_addressbook_restore<AS: AddressbookStore>(
|
pub async fn route_addressbook_restore<AS: AddressbookStore>(
|
||||||
path: Path<(String, String)>,
|
path: Path<(String, String)>,
|
||||||
req: HttpRequest,
|
req: HttpRequest,
|
||||||
store: Data<AS>,
|
store: Data<AS>,
|
||||||
_user: User,
|
user: User,
|
||||||
) -> Result<impl Responder, rustical_store::Error> {
|
) -> Result<impl Responder, rustical_store::Error> {
|
||||||
let (owner, addressbook_id) = path.into_inner();
|
let (owner, addressbook_id) = path.into_inner();
|
||||||
|
if owner != user.id {
|
||||||
|
return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
|
||||||
|
}
|
||||||
store.restore_addressbook(&owner, &addressbook_id).await?;
|
store.restore_addressbook(&owner, &addressbook_id).await?;
|
||||||
Ok(match req.headers().get(header::REFERER) {
|
Ok(match req.headers().get(header::REFERER) {
|
||||||
Some(referer) => web::Redirect::to(referer.to_str().unwrap().to_owned())
|
Some(referer) => web::Redirect::to(referer.to_str().unwrap().to_owned())
|
||||||
|
|||||||
@@ -4,6 +4,7 @@ use actix_web::{
|
|||||||
HttpRequest, HttpResponse, Responder,
|
HttpRequest, HttpResponse, Responder,
|
||||||
};
|
};
|
||||||
use askama::Template;
|
use askama::Template;
|
||||||
|
use askama_actix::TemplateToResponse;
|
||||||
use rustical_store::{auth::User, Calendar, CalendarStore};
|
use rustical_store::{auth::User, Calendar, CalendarStore};
|
||||||
|
|
||||||
#[derive(Template)]
|
#[derive(Template)]
|
||||||
@@ -15,21 +16,28 @@ struct CalendarPage {
|
|||||||
pub async fn route_calendar<C: CalendarStore>(
|
pub async fn route_calendar<C: CalendarStore>(
|
||||||
path: Path<(String, String)>,
|
path: Path<(String, String)>,
|
||||||
store: Data<C>,
|
store: Data<C>,
|
||||||
_user: User,
|
user: User,
|
||||||
) -> Result<impl Responder, rustical_store::Error> {
|
) -> Result<impl Responder, rustical_store::Error> {
|
||||||
let (owner, cal_id) = path.into_inner();
|
let (owner, cal_id) = path.into_inner();
|
||||||
|
if owner != user.id {
|
||||||
|
return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
|
||||||
|
}
|
||||||
Ok(CalendarPage {
|
Ok(CalendarPage {
|
||||||
calendar: store.get_calendar(&owner, &cal_id).await?,
|
calendar: store.get_calendar(&owner, &cal_id).await?,
|
||||||
})
|
}
|
||||||
|
.to_response())
|
||||||
}
|
}
|
||||||
|
|
||||||
pub async fn route_calendar_restore<CS: CalendarStore>(
|
pub async fn route_calendar_restore<CS: CalendarStore>(
|
||||||
path: Path<(String, String)>,
|
path: Path<(String, String)>,
|
||||||
req: HttpRequest,
|
req: HttpRequest,
|
||||||
store: Data<CS>,
|
store: Data<CS>,
|
||||||
_user: User,
|
user: User,
|
||||||
) -> Result<impl Responder, rustical_store::Error> {
|
) -> Result<impl Responder, rustical_store::Error> {
|
||||||
let (owner, cal_id) = path.into_inner();
|
let (owner, cal_id) = path.into_inner();
|
||||||
|
if owner != user.id {
|
||||||
|
return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
|
||||||
|
}
|
||||||
store.restore_calendar(&owner, &cal_id).await?;
|
store.restore_calendar(&owner, &cal_id).await?;
|
||||||
Ok(match req.headers().get(header::REFERER) {
|
Ok(match req.headers().get(header::REFERER) {
|
||||||
Some(referer) => web::Redirect::to(referer.to_str().unwrap().to_owned())
|
Some(referer) => web::Redirect::to(referer.to_str().unwrap().to_owned())
|
||||||
|
|||||||
Reference in New Issue
Block a user