diff --git a/ChangeLog b/ChangeLog index 42fcfcb90..6a4899045 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,23 @@ 2010-07-15 Wolfgang Sourdeau + * Tests/Integration/test-davacl.py + (DAVCalendarPublicAclTest.testCollectionAccessNormalUser): print + the amount of received hrefs. + + * SoObjects/Appointments/SOGoAppointmentFolders.m + (-folderObjectKeys): we now check the "AccessObject" + right on the returned folders to determine whether their ICS or + XML version should be accessible. + + * SoObjects/SOGo/SOGoParentFolder.m + (_fetchPersonalFolders:withChannel:): we no longer check access + rights from here as this method is too low level and prevent other + mechanisms from working properly. + (-lookupName:inContext:acquire:): we now check the "AccessObject" + right from here before returning the found object. We also make + use of the new "ignoreRights" method (see below) to that end. + (-toManyRelationShipKeys): same as lookupName... above. + * SoObjects/SOGo/SOGoObject.m (-ignoreRights): new utility method that determines whether the current object must check access rights on subobjects. diff --git a/SoObjects/Appointments/SOGoAppointmentFolders.m b/SoObjects/Appointments/SOGoAppointmentFolders.m index 13a7b5b8f..3cfba791b 100644 --- a/SoObjects/Appointments/SOGoAppointmentFolders.m +++ b/SoObjects/Appointments/SOGoAppointmentFolders.m @@ -29,6 +29,7 @@ #import #import #import +#import #import #import @@ -63,8 +64,16 @@ @end +static SoSecurityManager *sm = nil; + @implementation SOGoAppointmentFolders ++ (void) initialize +{ + if (!sm) + sm = [SoSecurityManager sharedSecurityManager]; +} + - (id) init { if ((self = [super init])) @@ -166,9 +175,11 @@ SOGoAppointmentFolder *folder; NSString *folderObjectKey; int count, max; + BOOL ignoreRights; if (!folderObjectKeys) { + ignoreRights = [self ignoreRights]; folders = [self subFolders]; max = [folders count]; folderObjectKeys = [[NSMutableArray alloc] initWithCapacity: max]; @@ -176,7 +187,10 @@ { folder = [folders objectAtIndex: count]; if ([folder isMemberOfClass: [SOGoAppointmentFolder class]] - && ![folder isSubscription]) + && ![folder isSubscription] + && (ignoreRights || ![sm validatePermission: SOGoPerm_AccessObject + onObject: folder + inContext: context])) { folderObjectKey = [NSString stringWithFormat: @"%@.ics", [folder nameInContainer]]; diff --git a/SoObjects/SOGo/SOGoParentFolder.m b/SoObjects/SOGo/SOGoParentFolder.m index 2066ba3fe..e9ceb93aa 100644 --- a/SoObjects/SOGo/SOGoParentFolder.m +++ b/SoObjects/SOGo/SOGoParentFolder.m @@ -175,26 +175,19 @@ static SoSecurityManager *sm = nil; { NSArray *attrs; NSDictionary *row; - BOOL hasPersonal, ignoreRights; SOGoGCSFolder *folder; NSString *key, *login; NSException *error; SOGoUser *currentUser; - SoSecurityManager *securityManager; if (!subFolderClass) subFolderClass = [[self class] subFolderClass]; - hasPersonal = NO; error = [fc evaluateExpressionX: sql]; if (!error) { currentUser = [context activeUser]; login = [currentUser login]; - ignoreRights = (activeUserIsOwner || [login isEqualToString: owner] - || [currentUser isSuperUser]); - if (!ignoreRights) - securityManager = [SoSecurityManager sharedSecurityManager]; attrs = [fc describeResults: NO]; while ((row = [fc fetchAttributes: attrs withZone: NULL])) @@ -203,19 +196,13 @@ static SoSecurityManager *sm = nil; if ([key isKindOfClass: [NSString class]]) { folder = [subFolderClass objectWithName: key inContainer: self]; - hasPersonal = (hasPersonal - || [key isEqualToString: @"personal"]); [folder setOCSPath: [NSString stringWithFormat: @"%@/%@", OCSPath, key]]; - if (ignoreRights - || ![securityManager validatePermission: SOGoPerm_AccessObject - onObject: folder - inContext: context]) - [subFolders setObject: folder forKey: key]; + [subFolders setObject: folder forKey: key]; } } - if (ignoreRights && !hasPersonal) + if (![subFolders objectForKey: @"personal"]) [self _createPersonalFolder]; } @@ -413,8 +400,15 @@ static SoSecurityManager *sm = nil; obj = [NSException exceptionWithHTTPStatus: 503]; } else - obj = [subFolders objectForKey: name]; - + { + obj = [subFolders objectForKey: name]; + if (obj && ![self ignoreRights] + && [sm validatePermission: SOGoPerm_AccessObject + onObject: obj + inContext: context]) + obj = nil; + } + if (!obj) { // Lookup in subscribed folders @@ -475,7 +469,7 @@ static SoSecurityManager *sm = nil; #warning check error here error = [self initSubFolders]; - + subs = [subFolders allValues]; count = [subs count]; for (i = 0; !rc && i < count; i++) @@ -492,11 +486,20 @@ static SoSecurityManager *sm = nil; NSEnumerator *sortedSubFolders; NSMutableArray *keys; SOGoGCSFolder *currentFolder; + BOOL ignoreRights; + + ignoreRights = [self ignoreRights]; keys = [NSMutableArray array]; sortedSubFolders = [[self subFolders] objectEnumerator]; while ((currentFolder = [sortedSubFolders nextObject])) - [keys addObject: [currentFolder nameInContainer]]; + { + if (ignoreRights + || ![sm validatePermission: SOGoPerm_AccessObject + onObject: currentFolder + inContext: context]) + [keys addObject: [currentFolder nameInContainer]]; + } return keys; } diff --git a/Tests/Integration/test-davacl.py b/Tests/Integration/test-davacl.py index 5455929d6..87e47a7d3 100755 --- a/Tests/Integration/test-davacl.py +++ b/Tests/Integration/test-davacl.py @@ -983,12 +983,12 @@ class DAVCalendarPublicAclTest(unittest.TestCase): self.subscriber_client.execute(propfind) hrefs = propfind.response["document"] \ .findall("{DAV:}response/{DAV:}href") + self.assertEquals(len(hrefs), 1, - "expected only one href in response") + "expected 1 href in response instead of %d" % len(hrefs)) self.assertEquals(hrefs[0].text, parentColl, "the href must be the 'Calendar' parent coll.") - acl_utility = utilities.TestCalendarACLUtility(self, self.client, self.createdRsrc)