fix(caldav): Fix permissions to allow for deletion of calendar subscriptions

fixes #84
2025-12-13 13:32:16 +00:00 · 2025-06-23 14:04:09 +02:00
parent e5687c6e43
commit 79c66a0b46
3 changed files with 35 additions and 2 deletions
--- a/crates/caldav/src/calendar/resource.rs
+++ b/crates/caldav/src/calendar/resource.rs
@@ -292,7 +292,12 @@ impl Resource for CalendarResource {
    }

    fn get_user_privileges(&self, user: &Principal) -> Result<UserPrivilegeSet, Self::Error> {
-        if self.cal.subscription_url.is_some() || self.read_only {
+        if self.cal.subscription_url.is_some() {
+            return Ok(UserPrivilegeSet::owner_write_properties(
+                user.is_principal(&self.cal.principal),
+            ));
+        }
+        if self.read_only {
            return Ok(UserPrivilegeSet::owner_read(
                user.is_principal(&self.cal.principal),
            ));
--- a/crates/dav/src/privileges.rs
+++ b/crates/dav/src/privileges.rs
@@ -2,6 +2,7 @@ use quick_xml::name::Namespace;
 use rustical_xml::{XmlDeserialize, XmlSerialize};
 use std::collections::{HashMap, HashSet};

+// https://datatracker.ietf.org/doc/html/rfc3744
 #[derive(Debug, Clone, XmlSerialize, XmlDeserialize, Eq, Hash, PartialEq)]
 pub enum UserPrivilege {
    Read,
@@ -47,6 +48,12 @@ pub struct UserPrivilegeSet {

 impl UserPrivilegeSet {
    pub fn has(&self, privilege: &UserPrivilege) -> bool {
+        if (privilege == &UserPrivilege::WriteProperties
+            || privilege == &UserPrivilege::WriteContent)
+            && self.privileges.contains(&UserPrivilege::Write)
+        {
+            return true;
+        }
        self.privileges.contains(privilege) || self.privileges.contains(&UserPrivilege::All)
    }

@@ -72,6 +79,15 @@ impl UserPrivilegeSet {
        }
    }

+    pub fn owner_write_properties(is_owner: bool) -> Self {
+        // Content is read-only but we can write properties
+        if is_owner {
+            Self::write_properties()
+        } else {
+            Self::default()
+        }
+    }
+
    pub fn read_only() -> Self {
        Self {
            privileges: HashSet::from([
@@ -81,6 +97,17 @@ impl UserPrivilegeSet {
            ]),
        }
    }
+
+    pub fn write_properties() -> Self {
+        Self {
+            privileges: HashSet::from([
+                UserPrivilege::Read,
+                UserPrivilege::WriteProperties,
+                UserPrivilege::ReadAcl,
+                UserPrivilege::ReadCurrentUserPrivilegeSet,
+            ]),
+        }
+    }
 }

 impl<const N: usize> From<[UserPrivilege; N]> for UserPrivilegeSet {
--- a/crates/dav/src/resource/methods/delete.rs
+++ b/crates/dav/src/resource/methods/delete.rs
@@ -47,8 +47,9 @@ pub async fn route_delete<R: ResourceService>(
 ) -> Result<(), R::Error> {
    let resource = resource_service.get_resource(path_components).await?;

+    // Kind of a bodge since we don't get unbind from the parent
    let privileges = resource.get_user_privileges(principal)?;
-    if !privileges.has(&UserPrivilege::Write) {
+    if !privileges.has(&UserPrivilege::WriteProperties) {
        return Err(Error::Unauthorized.into());
    }