LupusNobilis
/
sogo
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Monotone-Parent: 4fcee5b7d94bbc45b4fc732c402cbfa7b3009735 

Monotone-Revision: d486d5e829cf0bc377649b3e2d2ecfcc08afb8e8

Monotone-Author: wsourdeau@inverse.ca
Monotone-Date: 2010-07-15T14:54:03
Monotone-Branch: ca.inverse.sogo
maint-2.0.2
Wolfgang Sourdeau 2010-07-15 14:54:03 +00:00
parent ddf66a8d10
commit 97f72faf38
4 changed files with 57 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
ChangeLog
View File

@ -1,5 +1,23 @@
2010-07-15 Wolfgang Sourdeau <wsourdeau@inverse.ca>
* Tests/Integration/test-davacl.py
(DAVCalendarPublicAclTest.testCollectionAccessNormalUser): print
the amount of received hrefs.
* SoObjects/Appointments/SOGoAppointmentFolders.m
(-folderObjectKeys): we now check the "AccessObject"
right on the returned folders to determine whether their ICS or
XML version should be accessible.
* SoObjects/SOGo/SOGoParentFolder.m
(_fetchPersonalFolders:withChannel:): we no longer check access
rights from here as this method is too low level and prevent other
mechanisms from working properly.
(-lookupName:inContext:acquire:): we now check the "AccessObject"
right from here before returning the found object. We also make
use of the new "ignoreRights" method (see below) to that end.
(-toManyRelationShipKeys): same as lookupName... above.
* SoObjects/SOGo/SOGoObject.m (-ignoreRights): new utility method
that determines whether the current object must check access
rights on subobjects.

16
SoObjects/Appointments/SOGoAppointmentFolders.m
View File

@ -29,6 +29,7 @@
#import <NGObjWeb/WOContext+SoObjects.h>
#import <NGObjWeb/WORequest+So.h>
#import <NGObjWeb/NSException+HTTP.h>
#import <NGObjWeb/SoSecurityManager.h>
#import <NGExtensions/NSObject+Logs.h>
#import <GDLAccess/EOAdaptorChannel.h>
@ -63,8 +64,16 @@
@end
static SoSecurityManager *sm = nil;
@implementation SOGoAppointmentFolders
+ (void) initialize
{
if (!sm)
sm = [SoSecurityManager sharedSecurityManager];
}
- (id) init
{
if ((self = [super init]))
@ -166,9 +175,11 @@
SOGoAppointmentFolder *folder;
NSString *folderObjectKey;
int count, max;
BOOL ignoreRights;
if (!folderObjectKeys)
{
ignoreRights = [self ignoreRights];
folders = [self subFolders];
max = [folders count];
folderObjectKeys = [[NSMutableArray alloc] initWithCapacity: max];
@ -176,7 +187,10 @@
{
folder = [folders objectAtIndex: count];
if ([folder isMemberOfClass: [SOGoAppointmentFolder class]]
&& ![folder isSubscription])
&& ![folder isSubscription]
&& (ignoreRights || ![sm validatePermission: SOGoPerm_AccessObject
onObject: folder
inContext: context]))
{
folderObjectKey = [NSString stringWithFormat: @"%@.ics",
[folder nameInContainer]];

41
SoObjects/SOGo/SOGoParentFolder.m
View File

@ -175,26 +175,19 @@ static SoSecurityManager *sm = nil;
{
NSArray *attrs;
NSDictionary *row;
BOOL hasPersonal, ignoreRights;
SOGoGCSFolder *folder;
NSString *key, *login;
NSException *error;
SOGoUser *currentUser;
SoSecurityManager *securityManager;
if (!subFolderClass)
subFolderClass = [[self class] subFolderClass];
hasPersonal = NO;
error = [fc evaluateExpressionX: sql];
if (!error)
{
currentUser = [context activeUser];
login = [currentUser login];
ignoreRights = (activeUserIsOwner || [login isEqualToString: owner]
|| [currentUser isSuperUser]);
if (!ignoreRights)
securityManager = [SoSecurityManager sharedSecurityManager];
attrs = [fc describeResults: NO];
while ((row = [fc fetchAttributes: attrs withZone: NULL]))
@ -203,19 +196,13 @@ static SoSecurityManager *sm = nil;
if ([key isKindOfClass: [NSString class]])
{
folder = [subFolderClass objectWithName: key inContainer: self];
hasPersonal = (hasPersonal
|| [key isEqualToString: @"personal"]);
[folder setOCSPath: [NSString stringWithFormat: @"%@/%@",
OCSPath, key]];
if (ignoreRights
|| ![securityManager validatePermission: SOGoPerm_AccessObject
onObject: folder
inContext: context])
[subFolders setObject: folder forKey: key];
[subFolders setObject: folder forKey: key];
}
}
if (ignoreRights && !hasPersonal)
if (![subFolders objectForKey: @"personal"])
[self _createPersonalFolder];
}
@ -413,8 +400,15 @@ static SoSecurityManager *sm = nil;
obj = [NSException exceptionWithHTTPStatus: 503];
}
else
obj = [subFolders objectForKey: name];
{
obj = [subFolders objectForKey: name];
if (obj && ![self ignoreRights]
&& [sm validatePermission: SOGoPerm_AccessObject
onObject: obj
inContext: context])
obj = nil;
}
if (!obj)
{
// Lookup in subscribed folders
@ -475,7 +469,7 @@ static SoSecurityManager *sm = nil;
#warning check error here
error = [self initSubFolders];
subs = [subFolders allValues];
count = [subs count];
for (i = 0; !rc && i < count; i++)
@ -492,11 +486,20 @@ static SoSecurityManager *sm = nil;
NSEnumerator *sortedSubFolders;
NSMutableArray *keys;
SOGoGCSFolder *currentFolder;
BOOL ignoreRights;
ignoreRights = [self ignoreRights];
keys = [NSMutableArray array];
sortedSubFolders = [[self subFolders] objectEnumerator];
while ((currentFolder = [sortedSubFolders nextObject]))
[keys addObject: [currentFolder nameInContainer]];
{
if (ignoreRights
|| ![sm validatePermission: SOGoPerm_AccessObject
onObject: currentFolder
inContext: context])
[keys addObject: [currentFolder nameInContainer]];
}
return keys;
}

4
Tests/Integration/test-davacl.py
View File

@ -983,12 +983,12 @@ class DAVCalendarPublicAclTest(unittest.TestCase):
self.subscriber_client.execute(propfind)
hrefs = propfind.response["document"] \
.findall("{DAV:}response/{DAV:}href")
self.assertEquals(len(hrefs), 1,
"expected only one href in response")
"expected 1 href in response instead of %d" % len(hrefs))
self.assertEquals(hrefs[0].text, parentColl,
"the href must be the 'Calendar' parent coll.")
acl_utility = utilities.TestCalendarACLUtility(self,
self.client,
self.createdRsrc)