Separation of authentication and authorization. Separation of read and write authorization.

Static test strategies for authentication. Barely tested. Use at your own risk!
2025-04-05 06:07:35 +03:00 · 2012-08-03 13:10:20 +02:00 · 2012-08-03 13:10:20 +02:00 · e40e68b528
commit e40e68b528
parent 83baebd750
14 changed files with 478 additions and 132 deletions
--- a/radicale/xmlutils.py
+++ b/radicale/xmlutils.py
@ -35,7 +35,7 @@ except ImportError:
 import re
 import xml.etree.ElementTree as ET

-from radicale import client, config, ical
+from radicale import client, config, ical, access


 NAMESPACES = {
@ -200,8 +200,9 @@ def propfind(path, xml_request, collections, user=None):
    multistatus = ET.Element(_tag("D", "multistatus"))

    for collection in collections:
-        response = _propfind_response(path, collection, props, user)
-        multistatus.append(response)
+        if access.may_read(user, collection):
+            response = _propfind_response(path, collection, props, user)
+            multistatus.append(response)

    return _pretty_xml(multistatus)

@ -283,14 +284,12 @@ def _propfind_response(path, item, props, user):
                if item.is_principal:
                    tag = ET.Element(_tag("D", "principal"))
                    element.append(tag)
-                if item.is_leaf(item.path) or (
-                        not item.exists and item.resource_type):
-                    # 2nd case happens when the collection is not stored yet,
-                    # but the resource type is guessed
-                    if item.resource_type == "addressbook":
-                        tag = ET.Element(_tag("CR", item.resource_type))
-                    else:
-                        tag = ET.Element(_tag("C", item.resource_type))
+                if item.is_leaf(item.path):
+                    tag = ET.Element(_tag("C", item.resource_type))
+                    element.append(tag)
+                if not item.exists and item.resource_type:
+                    # Collection not stored yet, but guessed resource type
+                    tag = ET.Element(_tag("C", item.resource_type))
                    element.append(tag)
                tag = ET.Element(_tag("D", "collection"))
                element.append(tag)
@ -301,8 +300,6 @@ def _propfind_response(path, item, props, user):
            elif tag == _tag("C", "calendar-timezone"):
                element.text = ical.serialize(
                    item.tag, item.headers, item.timezones)
-            elif tag == _tag("D", "displayname"):
-                element.text = item.name
            else:
                human_tag = _tag_from_clark(tag)
                if human_tag in collection_props:
@ -434,15 +431,8 @@ def report(path, xml_request, collection):
                in root.findall(_tag("D", "href")))
        else:
            hreferences = (path,)
-        # TODO: handle other filters
-        # TODO: handle the nested comp-filters correctly
-        # Read rfc4791-9.7.1 for info
-        tag_filters = set(
-            element.get("name") for element
-            in root.findall(".//%s" % _tag("C", "comp-filter")))
    else:
        hreferences = ()
-        tag_filters = None

    # Writing answer
    multistatus = ET.Element(_tag("D", "multistatus"))
@ -465,9 +455,6 @@ def report(path, xml_request, collection):
            items = collection.components

        for item in items:
-            if tag_filters and item.tag not in tag_filters:
-                continue
-
            response = ET.Element(_tag("D", "response"))
            multistatus.append(response)