[Pkg-owncloud-commits] [php-sabredav] 133/148: Locking down creating new principals using ACL.

David Prévot taffit at moszumanska.debian.org
Wed Apr 15 01:37:32 UTC 2015 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch master
in repository php-sabredav.

commit a540b2e6be6fea1a0c65a39de2e83ce58f2d2b5d
Author: Evert Pot <me at evertpot.com>
Date:   Mon Apr 13 00:08:24 2015 -0400

    Locking down creating new principals using ACL.
---
 lib/DAV/Browser/Plugin.php         |  7 ++++
 lib/DAVACL/Plugin.php              |  2 +-
 lib/DAVACL/PrincipalCollection.php | 79 +++++++++++++++++++++++++++++++++++++-
 3 files changed, 86 insertions(+), 2 deletions(-)

diff --git a/lib/DAV/Browser/Plugin.php b/lib/DAV/Browser/Plugin.php
index 4c4ae28..fd01fcf 100644
--- a/lib/DAV/Browser/Plugin.php
+++ b/lib/DAV/Browser/Plugin.php
@@ -166,6 +166,13 @@ class Plugin extends DAV\ServerPlugin {
                             // Any _POST variable in clark notation is treated
                             // like a property.
                             if ($varName[0] === '{') {
+                                // PHP will convert any dots to underscores.
+                                // This leaves us with no way to differentiate
+                                // the two.
+                                // Therefore we replace the string *DOT* with a
+                                // real dot. * is not allowed in uris so we
+                                // should be good.
+                                $varName = str_replace('*DOT*', '.', $varName);
                                 $properties[$varName] = $varValue;
                             }
                         }
diff --git a/lib/DAVACL/Plugin.php b/lib/DAVACL/Plugin.php
index bc04b32..7b79558 100644
--- a/lib/DAVACL/Plugin.php
+++ b/lib/DAVACL/Plugin.php
@@ -1293,7 +1293,7 @@ class Plugin extends DAV\ServerPlugin {
             <input type="hidden" name="resourceType" value="{DAV:}principal" />
             <label>Name (uri):</label> <input type="text" name="name" /><br />
             <label>Display name:</label> <input type="text" name="{DAV:}displayname" /><br />
-            <label>Email address:</label> <input type="text" name="{http://sabreav.org/ns}email-address" /><br />
+            <label>Email address:</label> <input type="text" name="{http://sabredav*DOT*org/ns}email-address" /><br />
             <input type="submit" value="create" />
             </form>
             </td></tr>';
diff --git a/lib/DAVACL/PrincipalCollection.php b/lib/DAVACL/PrincipalCollection.php
index ff0c801..e034557 100644
--- a/lib/DAVACL/PrincipalCollection.php
+++ b/lib/DAVACL/PrincipalCollection.php
@@ -4,6 +4,7 @@ namespace Sabre\DAVACL;
 
 use
     Sabre\DAV\Exception\InvalidResourceType,
+    Sabre\DAV\Exception\Forbidden,
     Sabre\DAV\IExtendedCollection,
     Sabre\DAV\MkCol;
 
@@ -17,7 +18,7 @@ use
  * @author Evert Pot (http://evertpot.com/)
  * @license http://sabre.io/license/ Modified BSD License
  */
-class PrincipalCollection extends AbstractPrincipalCollection implements IExtendedCollection {
+class PrincipalCollection extends AbstractPrincipalCollection implements IExtendedCollection, IACL {
 
     /**
      * This method returns a node for a principal.
@@ -72,4 +73,80 @@ class PrincipalCollection extends AbstractPrincipalCollection implements IExtend
 
     }
 
+    /**
+     * Returns the owner principal
+     *
+     * This must be a url to a principal, or null if there's no owner
+     *
+     * @return string|null
+     */
+    function getOwner() {
+        return null;
+    }
+
+    /**
+     * Returns a group principal
+     *
+     * This must be a url to a principal, or null if there's no owner
+     *
+     * @return string|null
+     */
+    function getGroup() {
+        return null;
+    }
+
+    /**
+     * Returns a list of ACE's for this node.
+     *
+     * Each ACE has the following properties:
+     *   * 'privilege', a string such as {DAV:}read or {DAV:}write. These are
+     *     currently the only supported privileges
+     *   * 'principal', a url to the principal who owns the node
+     *   * 'protected' (optional), indicating that this ACE is not allowed to
+     *      be updated.
+     *
+     * @return array
+     */
+    function getACL() {
+        return [
+            [
+                'principal' => '{DAV:}authenticated',
+                'privilege' => '{DAV:}read',
+                'protected' => true,
+            ],
+        ];
+    }
+
+    /**
+     * Updates the ACL
+     *
+     * This method will receive a list of new ACE's as an array argument.
+     *
+     * @param array $acl
+     * @return void
+     */
+    function setACL(array $acl) {
+
+        throw new Forbidden('Updating ACLs is not allowed on this node');
+
+    }
+
+    /**
+     * Returns the list of supported privileges for this node.
+     *
+     * The returned data structure is a list of nested privileges.
+     * See Sabre\DAVACL\Plugin::getDefaultSupportedPrivilegeSet for a simple
+     * standard structure.
+     *
+     * If null is returned from this method, the default privilege set is used,
+     * which is fine for most common usecases.
+     *
+     * @return array|null
+     */
+    function getSupportedPrivilegeSet() {
+
+        return null;
+
+    }
+
 }

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/php-sabredav.git

More information about the Pkg-owncloud-commits mailing list