DAViCal
caldav-ACL.php
1 <?php
11 dbg_error_log("ACL", "method handler");
12 
13 require_once('DAVResource.php');
14 
15 $request->NeedPrivilege('DAV::write-acl');
16 
17 if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['put']) && $c->dbg['put'])) ) {
18  $fh = fopen('/var/log/davical/MOVE.debug','w');
19  if ( $fh ) {
20  fwrite($fh,$request->raw_post);
21  fclose($fh);
22  }
23 }
24 
25 $resource = new DAVResource( $request->path );
26 
91 $xmltree = BuildXMLTree( $request->xml_tags );
92 $aces = $xmltree->GetPath("/DAV::acl/*");
93 
94 $grantor = new DAVResource($request->path);
95 if ( ! $grantor->Exists() ) $request->DoResponse( 404 );
96 if ( ! $grantor->IsCollection() )
97  $request->PreconditionFailed(403,'not-supported-privilege','ACLs are only supported on Principals or Collections');
98 
99 $grantor->NeedPrivilege('write-acl');
100 
101 $cache_delete_list = array();
102 
103 $qry = new AwlQuery('BEGIN');
104 $qry->Exec('ACL',__LINE__,__FILE__);
105 
106 function process_ace( $grantor, $by_principal, $by_collection, $ace ) {
107  global $cache_delete_list, $request;
108 
109  $elements = $ace->GetContent();
110  $principal_node = $elements[0];
111  $grant = $elements[1];
112  if ( $principal_node->GetNSTag() != 'DAV::principal' ) $request->MalformedRequest('ACL request must contain a principal, not '.$principal->GetNSTag());
113  $grant_tag = $grant->GetNSTag();
114  if ( $grant_tag == 'DAV::deny' ) $request->PreconditionFailed(403,'grant-only');
115  if ( $grant_tag == 'DAV::invert' ) $request->PreconditionFailed(403,'no-invert');
116  if ( $grant->GetNSTag() != 'DAV::grant' ) $request->MalformedRequest('ACL request must contain a principal for each ACE');
117 
118  $privilege_names = array();
119  $xml_privs = $grant->GetPath("/DAV::grant/DAV::privilege/*");
120  foreach( $xml_privs AS $k => $priv ) {
121  $privilege_names[] = $priv->GetNSTag();
122  }
123  $privileges = privilege_to_bits($privilege_names);
124 
125  $principal_content = $principal_node->GetContent();
126  if ( count($principal_content) != 1 ) $request->MalformedRequest('ACL request must contain exactly one principal per ACE');
127  $principal_content = $principal_content[0];
128  switch( $principal_content->GetNSTag() ) {
129  case 'DAV::property':
130  $principal_property = $principal_content->GetContent();
131  if ( $principal_property[0]->GetNSTag() != 'DAV::owner' ) $request->PreconditionFailed(403, 'recognized-principal' );
132  if ( privilege_to_bits('all') != $privileges ) {
133  $request->PreconditionFailed(403, 'no-protected-ace-conflict', 'Owner must always have all permissions' );
134  }
135  break; // and then we ignore it, since it's protected
136 
137  case 'DAV::unauthenticated':
138  $request->PreconditionFailed(403, 'allowed-principal', 'May not set privileges for unauthenticated users' );
139  break;
140 
141  case 'DAV::href':
142  $principal_type = 'href';
143  $grantee = new DAVResource( DeconstructURL($principal_content->GetContent()) );
144  $grantee_id = $grantee->getProperty('principal_id');
145  if ( !$grantee->Exists() || !$grantee->IsPrincipal() )
146  $request->PreconditionFailed(403,'recognized-principal', 'Principal "' . $principal_content->GetContent() . '" not found.');
147  $sqlparms = array( ':to_principal' => $grantee_id);
148  $where = 'WHERE to_principal=:to_principal AND ';
149  if ( isset($by_principal) ) {
150  $sqlparms[':by_principal'] = $by_principal;
151  $where .= 'by_principal = :by_principal';
152  }
153  else {
154  $sqlparms[':by_collection'] = $by_collection;
155  $where .= 'by_collection = :by_collection';
156  }
157  $qry = new AwlQuery('SELECT privileges FROM grants '.$where, $sqlparms);
158  if ( $qry->Exec('ACL',__LINE__,__FILE__) && $qry->rows() == 1 && $current = $qry->Fetch() ) {
159  $sql = 'UPDATE grants SET privileges=:privileges::INT::BIT(24) '.$where;
160  }
161  else {
162  $sqlparms[':by_principal'] = $by_principal;
163  $sqlparms[':by_collection'] = $by_collection;
164  $sql = 'INSERT INTO grants (by_principal, by_collection, to_principal, privileges) VALUES(:by_principal, :by_collection, :to_principal, :privileges::INT::BIT(24))';
165  }
166  $sqlparms[':privileges'] = $privileges;
167  $qry = new AwlQuery($sql, $sqlparms);
168  if ( $qry->Exec('ACL',__LINE__,__FILE__) ) {
169  Principal::cacheDelete('dav_name',$grantee->dav_name());
170  Principal::cacheFlush('principal_id IN (SELECT member_id FROM group_member WHERE group_id = ?)', array($grantee_id));
171  }
172  break;
173 
174  case 'DAV::authenticated':
175  $principal_type = 'authenticated';
176  $grant_default_privs = $grantor->GetProperty('default_privileges');
177  if ( isset($grant_default_privs) && bindec($grant_default_privs) == $privileges ) break; // There is no change, so skip it
178  $sqlparms = array( ':privileges' => $privileges );
179  if ( isset($by_collection) ) {
180  $sql = 'UPDATE collection SET default_privileges=:privileges::INT::BIT(24) WHERE collection_id=:by_collection';
181  $sqlparms[':by_collection'] = $by_collection;
182  }
183  else {
184  $sql = 'UPDATE principal SET default_privileges=:privileges::INT::BIT(24) WHERE principal_id=:by_principal';
185  $sqlparms[':by_principal'] = $by_principal;
186  }
187  $qry = new AwlQuery($sql, $sqlparms);
188  if ( $qry->Exec('ACL',__LINE__,__FILE__) ) {
192  Principal::cacheFlush('TRUE');
193  }
194  break;
195 
196  case 'DAV::all':
197 // $principal_type = 'all';
198  $request->PreconditionFailed(403, 'allowed-principal', 'May not set privileges for unauthenticated users' );
199  break;
200 
201  default:
202  $request->PreconditionFailed(403, 'recognized-principal' );
203  break;
204  }
205 
206 }
207 
208 $by_principal = ($grantor->IsPrincipal() ? $grantor->GetProperty('principal_id') : null);
209 $by_collection = ($grantor->IsPrincipal() ? null : $grantor->GetProperty('collection_id'));
210 
211 foreach( $aces AS $k => $ace ) {
212  process_ace($grantor, $by_principal, $by_collection, $ace);
213 }
214 
215 $qry = new AwlQuery('COMMIT');
216 $qry->Exec('ACL',__LINE__,__FILE__);
217 
218 
219 $request->DoResponse( 200 );