Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

Fix unauthenticated access to wiki calendars

  • Loading branch information
m0rgen committed Oct 28, 2014
1 parent 075c3fe commit 5b51823c95159ae6333494f1dddc0f84385539a6
Showing with 80 additions and 6 deletions.
  1. +1 −1 txdav/dps/client.py
  2. +5 −2 txdav/dps/server.py
  3. +64 −1 txdav/who/test/test_wiki.py
  4. +10 −2 txdav/who/wiki.py
@@ -573,7 +573,7 @@ def accessForRecord(self, record):
WikiAccessForUIDCommand,
self._convertAccess,
wikiUID=self.uid.encode("utf-8"),
uid=record.uid.encode("utf-8")
uid=record.uid.encode("utf-8") if record else ""
)


@@ -634,8 +634,11 @@ def wikiAccessForUID(self, wikiUID, uid):
log.debug("WikiAccessForUID: {w} {u}", w=wikiUID, u=uid)
access = WikiAccessLevel.none
wikiRecord = (yield self._directory.recordWithUID(wikiUID))
userRecord = (yield self._directory.recordWithUID(uid))
if wikiRecord is not None and userRecord is not None:
if uid:
userRecord = (yield self._directory.recordWithUID(uid))
else:
userRecord = None
if wikiRecord is not None:
access = (yield wikiRecord.accessForRecord(userRecord))
response = {
"access": access.name.encode("utf-8"),
@@ -26,7 +26,9 @@
from twisted.internet.defer import inlineCallbacks, succeed
from twistedcaldav.test.util import StoreTestCase

from ..wiki import DirectoryService, WikiAccessLevel
from ..wiki import (
DirectoryService, WikiAccessLevel, getWikiACL, RecordType, DirectoryRecord
)
import txdav.who.wiki


@@ -95,6 +97,7 @@ def stubAccessForUserToWiki(self, *args, **kwds):
return succeed(self.access)



@inlineCallbacks
def test_accessForRecord(self):
record = yield self.directory.recordWithUID(u"wiki-test")
@@ -114,3 +117,63 @@ def test_accessForRecord(self):
self.access = "admin"
access = yield record.accessForRecord(None)
self.assertEquals(access, WikiAccessLevel.write)



# Test getWikiACL()
# Currently stubs out enough functionality to test that an unauthenticated
# request can support read access when generating an ACL element
# TODO: add tests which have auth'd principals in the request

class FakeRequest(object):

def __init__(self):
self.authnUser = None


class FakeResource(object):

def __init__(self, record):
self.record = record


def stubAccessForRecord(self, record):
return succeed(self.access)


class GetWikiACLTestCase(StoreTestCase):
"""
Exercise getWikiACL
"""

def configure(self):
"""
Override configuration hook to turn on wiki service.
"""
from twistedcaldav.config import config

super(GetWikiACLTestCase, self).configure()
self.patch(config.Authentication.Wiki, "Enabled", True)
self.patch(
txdav.who.wiki.DirectoryRecord,
"accessForRecord",
stubAccessForRecord
)

@inlineCallbacks
def test_getWikiACL(self):
fields = {
self.directory.fieldName.uid: u"wiki-1",
self.directory.fieldName.shortNames: [u"wiki-one",],
self.directory.fieldName.recordType: RecordType.macOSXServerWiki,
}
record = DirectoryRecord(self.directory, fields)
resource = FakeResource(record)
request = FakeRequest()

record.access = WikiAccessLevel.read
result = yield getWikiACL(resource, request)
self.assertEqual(
result.children[0].children[0].children[0].name,
"unauthenticated"
)
@@ -282,7 +282,11 @@ def getWikiACL(resource, request):
if access == WikiAccessLevel.read:
request.wikiACL = davxml.ACL(
davxml.ACE(
request.authnUser.principalElement(),
(
request.authnUser.principalElement() if
request.authnUser is not None else
davxml.Principal(davxml.Unauthenticated())
),
davxml.Grant(
davxml.Privilege(davxml.Read()),
davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),
@@ -311,7 +315,11 @@ def getWikiACL(resource, request):
elif access == WikiAccessLevel.write:
request.wikiACL = davxml.ACL(
davxml.ACE(
request.authnUser.principalElement(),
(
request.authnUser.principalElement() if
request.authnUser is not None else
davxml.Principal(davxml.Unauthenticated())
),
davxml.Grant(
davxml.Privilege(davxml.Read()),
davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),

0 comments on commit 5b51823

Please sign in to comment.
You can’t perform that action at this time.