* SoObjects/Appointments/SOGoAppointmentObject.m

(PUTAction:): detect conflicting event UID and deny the request accordingly. * Tests/Integration/test-caldav-scheduling.py: new test for bug #1853 Monotone-Parent: 32e30de409bdd4e864d0c454e1939c809fb8edcd Monotone-Revision: a4ef73c2ad79c8da8d8e0c93767ab06e14bc846b Monotone-Author: jraby@inverse.ca Monotone-Date: 2012-06-27T16:06:20
2012-06-27 16:06:20 +00:00 · 2012-06-27 16:06:20 +00:00 · 38b1cbd014
parent c74b5a1cc1
commit 38b1cbd014
3 changed files with 45 additions and 1 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+2012-06-27  Jean Raby  <jraby@inverse.ca>
+
+	* SoObjects/Appointments/SOGoAppointmentObject.m
+	(PUTAction:): detect conflicting event UID and
+	deny the request accordingly.
+
 2012-06-21  Ludovic Marcotte  <lmarcotte@inverse.ca>

 	* Added the SOGoSearchMinimumWordLength domain
--- a/SoObjects/Appointments/SOGoAppointmentObject.m
+++ b/SoObjects/Appointments/SOGoAppointmentObject.m
@ -1756,15 +1756,25 @@ inRecurrenceExceptionsForEvent: (iCalEvent *) theEvent
    {
      iCalCalendar *calendar;
      SOGoUser *ownerUser;
-      iCalEvent *event;
+      iCalEvent *event, *conflictingEvent;
      
+      NSString *eventUID;
      BOOL scheduling;

      calendar = [iCalCalendar parseSingleFromSource: [rq contentAsString]];

      event = [[calendar events] objectAtIndex: 0];
+      eventUID = [event uid];
      ownerUser = [SOGoUser userWithLogin: owner];
      scheduling = [self _shouldScheduleEvent: [event organizer]];
+
+      // make sure eventUID doesn't conflict with an existing event -  see bug #1853
+      // TODO: send out a no-uid-conflict (DAV:href) xml element (rfc4791 section 5.3.2.1)
+      if (conflictingEvent = [container resourceNameForEventUID: eventUID])
+        {
+  NSString *reason = [NSString stringWithFormat: @"Event UID already in use. (%s)", eventUID];
+  return [NSException exceptionWithHTTPStatus:403 reason: reason];
+        }
     
      //
      // New event and we're the organizer -- send invitation to all attendees
--- a/Tests/Integration/test-caldav-scheduling.py
+++ b/Tests/Integration/test-caldav-scheduling.py
@ -4,6 +4,9 @@
 #        attendee1_delegate_username and superuser.
 # when writing new tests, avoid using superuser when not absolutely needed

+# TODO
+#   - Individual tests should set the ACLs themselves on Resources tests
+
 from config import hostname, port, username, password, \
 		   superuser, superuser_password, \
                   attendee1, attendee1_username, \
@ -791,6 +794,31 @@ class CalDAVSchedulingTest(unittest.TestCase):
        for attendee in org_ev.vevent.attendee_list:
          self.assertNotEqual(self.user_email, attendee.value)

+    def testEventsWithSameUID(self):
+        """ PUT 2 events with the same UID - bug #1853 """
+
+	ics_name = "test-same-uid.ics"
+        self.ics_list += [ics_name]
+
+	self._deleteEvent(self.client,
+			  "%s%s" % (self.user_calendar, ics_name), None)
+
+	conflict_ics_name = "test-same-uid-conflict.ics"
+        self.ics_list += [ics_name]
+
+	self._deleteEvent(self.client,
+			  "%s%s" % (self.user_calendar, conflict_ics_name), None)
+
+	# 1.  create simple event
+	summary="same uid"
+	uid=summary
+	event = self._newEvent(summary, uid)
+
+	self._putEvent(self.client, "%s%s" % (self.user_calendar, ics_name), event)
+
+        # PUT the same event with a new filename - should trigger a 403
+	self._putEvent(self.client, "%s%s" % (self.user_calendar, conflict_ics_name), event, exp_status=403)
+
    def testInvitationDelegation(self):
        """ invitation delegation """