Skip to content

Fix access#100

Merged
liZe merged 6 commits intoKozea:masterfrom
chripo:fix-access
Feb 5, 2014
Merged

Fix access#100
liZe merged 6 commits intoKozea:masterfrom
chripo:fix-access

Conversation

@chripo
Copy link
Contributor

@chripo chripo commented Jan 15, 2014

under certain conditions it was possible to pass the final access control if-clause.
the master branch grants access if:

if ((read_allowed_items or write_allowed_items)
        and (not user or auth.is_authenticated(user, password))) or \
        function == self.options or not items:
    # Collections found, or OPTIONS request, or no items at all

the easy-connect branch from pull request #95 extends it with:

        (is_authenticated and function == self.propfind) or \

the last or not items condition levers out the previous authentication and access control. that isn't that big secuity issue because in this case there are no collection and items at all. but "bad" and anonymous users could gather data and information which not destined for them.

the first commit (Fix access to collections) simplifies the if-clause to:

        is_valid_user = is_authenticated or not user
        ...
        if is_valid_user and ( \
                (read_allowed_items or write_allowed_items) or \
                (is_authenticated and function == self.propfind) or \
                function == self.options):

the second commit (Find collections if necessary) is an improvement, it gathers items for valid user only.

chripo added 6 commits January 5, 2014 21:22
@chripo
Fix principal URLs in PROPFIND response
2ddec14
@chripo
Respond to all authenticated PROPFIND requests
83db273
@chripo
Fix principal-collection-set in PROPFIND response
d09b16c
@chripo
Fix calendar/addressbook-home-set in PROPFIND response
387e1fe
@chripo
Fix access to collections
90d82d0 
under certain conditions it was possible to pass the final access control
if-clause. the master branch granted access if:

    if ((read_allowed_items or write_allowed_items)
        and (not user or auth.is_authenticated(user, password))) or
        function == self.options or not items:

the easy-connect branch from pull request Kozea#95 adds:
    (is_authenticated and function == self.propfind) or

the last `or not items` condition levers out the previous authentication and
access control. that isn't that big secuity issue because in this case there
are no collection and items at all. but "bad" and anonymous users could gather
data and information which not destined for them.

this commit fixes and simplifies the if-clause.
@chripo
Find collections if necessary
3aa992e
@hhenkel hhenkel mentioned this pull request Jan 20, 2014
Merged
liZe added a commit that referenced this pull request Feb 5, 2014
@liZe
Merge pull request #100 from chripo/fix-access
c953211 
Fix access
@liZe liZe merged commit c953211 into Kozea:master Feb 5, 2014
@liZe
Copy link
Member

liZe commented Feb 5, 2014

Merged too, now that #95 is merged.

@chripo chripo deleted the fix-access branch February 10, 2014 21:46
@DrElizar DrElizar mentioned this pull request Mar 22, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chripo @liZe