Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(CalDAV): set acls for DeletedCalendarObjectsCollection #42850

Merged
merged 1 commit into from
Jan 18, 2024
Merged

fix(CalDAV): set acls for DeletedCalendarObjectsCollection #42850

merged 1 commit into from
Jan 18, 2024

Conversation

JohannesGGE
Copy link
Contributor

@JohannesGGE JohannesGGE commented Jan 16, 2024
edited by ChristophWurst
Loading

  • Resolves: #

Summary

TODO

  • ...

Checklist

@JohannesGGE JohannesGGE added bug 3. to review Waiting for reviews labels Jan 16, 2024
@JohannesGGE JohannesGGE self-assigned this Jan 16, 2024
ChristophWurst
ChristophWurst approved these changes Jan 16, 2024
View reviewed changes
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense

tcitworld
tcitworld previously requested changes Jan 16, 2024
View reviewed changes
apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObjectsCollection.php
use function array_map;
use function implode;
use function preg_match;

class DeletedCalendarObjectsCollection implements ICalendarObjectContainer {
class DeletedCalendarObjectsCollection implements ICalendarObjectContainer, IACL {
use ACLTrait;
Copy link
Member

@tcitworld tcitworld Jan 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This brings

'privilege' => '{DAV:}all',

I think {DAV:}read should be enough, as the collection itself shouldn't be changed, but you'll need to test it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean by adding:

public function getACL(): array {
	return [
		[
			'privilege' => '{DAV:}read',
			'principal' => $this->getOwner(),
			'protected' => true,
		],
		[
			'privilege' => '{DAV:}unbind',
			'principal' => '{DAV:}owner',
			'protected' => true,
		]
	];
}

?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you need {DAV:}unbind ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes. Otherwise the owner can no longer delete it themself.

Copy link
Member

@tcitworld tcitworld Jan 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But the owner should be able to delete the elements in the collection, not the collection itself, right?

DeletedCalendarObject already has {DAV:}unbind.

And in any case the delete method here throws Forbidden.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The deletion does not work either via cadaver or via web interface without {DAV:}unbind for the owner. At least in my setup.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But the owner should be able to delete the elements in the collection, not the collection itself, right?

DeletedCalendarObject already has {DAV:}unbind.

And in any case the delete method here throws Forbidden.

It's a bit strange. If you drop unbind from the collection, objects in the collection can't be deleted neither. Sabre returns a Node with name 'objects' could not be found.

Since deletion is indeed protected by the Forbidden, I would like to move forward with this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

\Sabre\DAVACL\Plugin::beforeUnbind checks the parent for unbind before a node is unbound.

@JohannesGGE
fix(CalDAV): set acls for DeletedCalendarObjectsCollection
b454156 
Signed-off-by: Johannes Merkel <mail@johannesgge.de>
@JohannesGGE JohannesGGE force-pushed the fix/caldav/update-acls-deletedcalendarobjectscollection branch from 9fd0d9c to b454156 Compare January 17, 2024 16:08
@nextcloud nextcloud deleted a comment from JohannesGGE Jan 18, 2024
This was referenced Jan 18, 2024
Merged
Merged
Merged
Merged
Merged
Merged
@nextcloud nextcloud deleted a comment from JohannesGGE Jan 18, 2024
@ChristophWurst ChristophWurst added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Jan 18, 2024
@ChristophWurst ChristophWurst merged commit d9d222d into master Jan 18, 2024
46 of 50 checks passed
@ChristophWurst ChristophWurst deleted the fix/caldav/update-acls-deletedcalendarobjectscollection branch January 18, 2024 09:42
@blizzz blizzz mentioned this pull request Mar 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@miaulalala miaulalala miaulalala approved these changes

@tcitworld tcitworld Awaiting requested review from tcitworld tcitworld is a code owner

Assignees

@JohannesGGE JohannesGGE

Labels
4. to release Ready to be released and/or waiting for tests to finish backport-request bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@JohannesGGE @ChristophWurst @tcitworld @miaulalala