[3733] | 1 | <?php |
---|
| 2 | /** |
---|
| 3 | * CalDAV Server - handle ACL method |
---|
| 4 | * |
---|
| 5 | * @package davical |
---|
| 6 | * @subpackage caldav |
---|
| 7 | * @author Andrew McMillan <andrew@morphoss.com> |
---|
| 8 | * @copyright Morphoss Ltd |
---|
| 9 | * @license http://gnu.org/copyleft/gpl.html GNU GPL v2 |
---|
| 10 | */ |
---|
| 11 | dbg_error_log("ACL", "method handler"); |
---|
| 12 | |
---|
| 13 | require_once('DAVResource.php'); |
---|
| 14 | |
---|
| 15 | $request->NeedPrivilege('DAV::write-acl'); |
---|
| 16 | |
---|
| 17 | if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['put']) && $c->dbg['put'])) ) { |
---|
| 18 | $fh = fopen('/tmp/MOVE.txt','w'); |
---|
| 19 | if ( $fh ) { |
---|
| 20 | fwrite($fh,$request->raw_post); |
---|
| 21 | fclose($fh); |
---|
| 22 | } |
---|
| 23 | } |
---|
| 24 | |
---|
| 25 | $resource = new DAVResource( $request->path ); |
---|
| 26 | |
---|
| 27 | /** |
---|
| 28 | * Preconditions |
---|
| 29 | (DAV:no-ace-conflict): The ACEs submitted in the ACL request MUST NOT |
---|
| 30 | conflict with each other. This is a catchall error code indicating |
---|
| 31 | that an implementation-specific ACL restriction has been violated. |
---|
| 32 | |
---|
| 33 | (DAV:no-protected-ace-conflict): The ACEs submitted in the ACL |
---|
| 34 | request MUST NOT conflict with the protected ACEs on the resource. |
---|
| 35 | For example, if the resource has a protected ACE granting DAV:write |
---|
| 36 | to a given principal, then it would not be consistent if the ACL |
---|
| 37 | request submitted an ACE denying DAV:write to the same principal. |
---|
| 38 | |
---|
| 39 | (DAV:no-inherited-ace-conflict): The ACEs submitted in the ACL |
---|
| 40 | request MUST NOT conflict with the inherited ACEs on the resource. |
---|
| 41 | For example, if the resource inherits an ACE from its parent |
---|
| 42 | collection granting DAV:write to a given principal, then it would not |
---|
| 43 | be consistent if the ACL request submitted an ACE denying DAV:write |
---|
| 44 | to the same principal. Note that reporting of this error will be |
---|
| 45 | implementation-dependent. Implementations MUST either report this |
---|
| 46 | error or allow the ACE to be set, and then let normal ACE evaluation |
---|
| 47 | rules determine whether the new ACE has any impact on the privileges |
---|
| 48 | available to a specific principal. |
---|
| 49 | |
---|
| 50 | (DAV:limited-number-of-aces): The number of ACEs submitted in the ACL |
---|
| 51 | request MUST NOT exceed the number of ACEs allowed on that resource. |
---|
| 52 | However, ACL-compliant servers MUST support at least one ACE granting |
---|
| 53 | privileges to a single principal, and one ACE granting privileges to |
---|
| 54 | a group. |
---|
| 55 | |
---|
| 56 | (DAV:deny-before-grant): All non-inherited deny ACEs MUST precede all |
---|
| 57 | non-inherited grant ACEs. |
---|
| 58 | |
---|
| 59 | (DAV:grant-only): The ACEs submitted in the ACL request MUST NOT |
---|
| 60 | include a deny ACE. This precondition applies only when the ACL |
---|
| 61 | restrictions of the resource include the DAV:grant-only constraint |
---|
| 62 | (defined in Section 5.6.1). |
---|
| 63 | |
---|
| 64 | (DAV:no-invert): The ACL request MUST NOT include a DAV:invert |
---|
| 65 | element. This precondition applies only when the ACL semantics of |
---|
| 66 | the resource includes the DAV:no-invert constraint (defined in |
---|
| 67 | Section 5.6.2). |
---|
| 68 | |
---|
| 69 | (DAV:no-abstract): The ACL request MUST NOT attempt to grant or deny |
---|
| 70 | an abstract privilege (see Section 5.3). |
---|
| 71 | |
---|
| 72 | (DAV:not-supported-privilege): The ACEs submitted in the ACL request |
---|
| 73 | MUST be supported by the resource. |
---|
| 74 | |
---|
| 75 | (DAV:missing-required-principal): The result of the ACL request MUST |
---|
| 76 | have at least one ACE for each principal identified in a |
---|
| 77 | DAV:required-principal XML element in the ACL semantics of that |
---|
| 78 | resource (see Section 5.5). |
---|
| 79 | |
---|
| 80 | (DAV:recognized-principal): Every principal URL in the ACL request |
---|
| 81 | MUST identify a principal resource. |
---|
| 82 | |
---|
| 83 | (DAV:allowed-principal): The principals specified in the ACEs |
---|
| 84 | submitted in the ACL request MUST be allowed as principals for the |
---|
| 85 | resource. For example, a server where only authenticated principals |
---|
| 86 | can access resources would not allow the DAV:all or |
---|
| 87 | DAV:unauthenticated principals to be used in an ACE, since these |
---|
| 88 | would allow unauthenticated access to resources. |
---|
| 89 | */ |
---|
| 90 | |
---|
| 91 | $position = 0; |
---|
| 92 | $xmltree = BuildXMLTree( $request->xml_tags, $position); |
---|
| 93 | $aces = $xmltree->GetPath("/DAV::acl/*"); |
---|
| 94 | |
---|
| 95 | $grantor = new DAVResource($request->path); |
---|
| 96 | if ( ! $grantor->Exists() ) $request->DoResponse( 404 ); |
---|
| 97 | $by_principal = null; |
---|
| 98 | $by_collection = null; |
---|
| 99 | if ( $grantor->IsPrincipal() ) $by_principal = $grantor->GetProperty('principal_id'); |
---|
| 100 | else if ( $grantor->IsCollection() ) $by_collection = $grantor->GetProperty('collection_id'); |
---|
| 101 | else $request->PreconditionFailed(403,'not-supported-privilege','ACLs may only be applied to Principals or Collections'); |
---|
| 102 | |
---|
| 103 | $qry = new AwlQuery('BEGIN'); |
---|
| 104 | $qry->Exec('ACL',__LINE__,__FILE__); |
---|
| 105 | |
---|
| 106 | foreach( $aces AS $k => $ace ) { |
---|
| 107 | $elements = $ace->GetContent(); |
---|
| 108 | $principal = $elements[0]; |
---|
| 109 | $grant = $elements[1]; |
---|
| 110 | if ( $principal->GetTag() != 'DAV::principal' ) $request->MalformedRequest('ACL request must contain a principal, not '.$principal->GetTag()); |
---|
| 111 | $grant_tag = $grant->GetTag(); |
---|
| 112 | if ( $grant_tag == 'DAV::deny' ) $request->PreconditionFailed(403,'grant-only'); |
---|
| 113 | if ( $grant_tag == 'DAV::invert' ) $request->PreconditionFailed(403,'no-invert'); |
---|
| 114 | if ( $grant->GetTag() != 'DAV::grant' ) $request->MalformedRequest('ACL request must contain a principal for each ACE'); |
---|
| 115 | |
---|
| 116 | $privilege_names = array(); |
---|
| 117 | $xml_privs = $grant->GetPath("/DAV::grant/DAV::privilege/*"); |
---|
| 118 | foreach( $xml_privs AS $k => $priv ) { |
---|
| 119 | $privilege_names[] = $priv->GetTag(); |
---|
| 120 | } |
---|
| 121 | $privileges = privilege_to_bits($privilege_names); |
---|
| 122 | |
---|
| 123 | $principal_content = $principal->GetContent(); |
---|
| 124 | if ( count($principal_content) != 1 ) $request->MalformedRequest('ACL request must contain exactly one principal per ACE'); |
---|
| 125 | $principal_content = $principal_content[0]; |
---|
| 126 | switch( $principal_content->GetTag() ) { |
---|
| 127 | case 'DAV::property': |
---|
| 128 | $principal_property = $principal_content->GetContent(); |
---|
| 129 | if ( $principal_property[0]->GetTag() != 'DAV::owner' ) $request->PreconditionFailed(403, 'recognized-principal' ); |
---|
| 130 | if ( privilege_to_bits('all') != $privileges ) { |
---|
| 131 | $request->PreconditionFailed(403, 'no-protected-ace-conflict', 'Owner must always have all permissions' ); |
---|
| 132 | } |
---|
| 133 | continue; // and then we ignore it, since it's protected |
---|
| 134 | break; |
---|
| 135 | |
---|
| 136 | case 'DAV::unauthenticated': |
---|
| 137 | $request->PreconditionFailed(403, 'allowed-principal', 'May not set privileges for unauthenticated users' ); |
---|
| 138 | break; |
---|
| 139 | |
---|
| 140 | case 'DAV::href': |
---|
| 141 | $principal_type = 'href'; |
---|
| 142 | $principal = new DAVResource( DeconstructURL($principal_content->GetContent()) ); |
---|
| 143 | if ( ! $principal->Exists() || !$principal->IsPrincipal() ) |
---|
| 144 | $request->PreconditionFailed(403,'recognized-principal', 'Principal "' + $principal_content->GetContent() + '" not found.'); |
---|
| 145 | $sqlparms = array( ':to_principal' => $principal->GetProperty('principal_id') ); |
---|
| 146 | $where = 'WHERE to_principal=:to_principal AND '; |
---|
| 147 | if ( isset($by_principal) ) { |
---|
| 148 | $sqlparms[':by_principal'] = $by_principal; |
---|
| 149 | $where .= 'by_principal = :by_principal'; |
---|
| 150 | } |
---|
| 151 | else { |
---|
| 152 | $sqlparms[':by_collection'] = $by_collection; |
---|
| 153 | $where .= 'by_collection = :by_collection'; |
---|
| 154 | } |
---|
| 155 | $qry = new AwlQuery('SELECT privileges FROM grants '.$where, $sqlparms); |
---|
| 156 | if ( $qry->Exec('ACL',__LINE__,__FILE__) && $qry->rows() == 1 && $current = $qry->Fetch() ) { |
---|
| 157 | $sql = 'UPDATE grants SET privileges=:privileges::INT::BIT(24) '.$where; |
---|
| 158 | } |
---|
| 159 | else { |
---|
| 160 | $sqlparms[':by_principal'] = $by_principal; |
---|
| 161 | $sqlparms[':by_collection'] = $by_collection; |
---|
| 162 | $sql = 'INSERT INTO grants (by_principal, by_collection, to_principal, privileges) VALUES(:by_principal, :by_collection, :to_principal, :privileges::INT::BIT(24))'; |
---|
| 163 | } |
---|
| 164 | $sqlparms[':privileges'] = $privileges; |
---|
| 165 | $qry = new AwlQuery($sql, $sqlparms); |
---|
| 166 | $qry->Exec('ACL',__LINE__,__FILE__); |
---|
| 167 | break; |
---|
| 168 | |
---|
| 169 | case 'DAV::authenticated': |
---|
| 170 | $principal_type = 'authenticated'; |
---|
| 171 | if ( bindec($grantor->GetProperty('default_privileges')) == $privileges ) continue; // There is no change, so skip it |
---|
| 172 | $sqlparms = array( ':privileges' => $privileges ); |
---|
| 173 | if ( isset($by_collection) ) { |
---|
| 174 | $sql = 'UPDATE collection SET default_privileges=:privileges::INT::BIT(24) WHERE collection_id=:by_collection'; |
---|
| 175 | $sqlparms[':by_collection'] = $by_collection; |
---|
| 176 | } |
---|
| 177 | else { |
---|
| 178 | $sql = 'UPDATE principal SET default_privileges=:privileges::INT::BIT(24) WHERE principal_id=:by_principal'; |
---|
| 179 | $sqlparms[':by_principal'] = $by_principal; |
---|
| 180 | } |
---|
| 181 | $qry = new AwlQuery($sql, $sqlparms); |
---|
| 182 | $qry->Exec('ACL',__LINE__,__FILE__); |
---|
| 183 | break; |
---|
| 184 | |
---|
| 185 | case 'DAV::all': |
---|
| 186 | // $principal_type = 'all'; |
---|
| 187 | $request->PreconditionFailed(403, 'allowed-principal', 'May not set privileges for unauthenticated users' ); |
---|
| 188 | break; |
---|
| 189 | |
---|
| 190 | default: |
---|
| 191 | $request->PreconditionFailed(403, 'recognized-principal' ); |
---|
| 192 | break; |
---|
| 193 | } |
---|
| 194 | |
---|
| 195 | } |
---|
| 196 | |
---|
| 197 | $qry = new AwlQuery('COMMIT'); |
---|
| 198 | $qry->Exec('ACL',__LINE__,__FILE__); |
---|
| 199 | |
---|
| 200 | |
---|
| 201 | $request->DoResponse( 200 ); |
---|