check rights not on owners but on entities
authorchrysn <chrysn@fsfe.org>
Fri, 4 Apr 2014 11:40:36 +0000 (13:40 +0200)
committerJelmer Vernooń≥ <jelmer@jelmer.uk>
Sun, 10 Apr 2016 11:43:29 +0000 (11:43 +0000)
this will in a next step allow entities to decide their own privacy
settings

calypso/__init__.py
calypso/acl/htpasswd.py
calypso/acl/nopwd.py
calypso/acl/pam.py
calypso/principal.py

index 4aee57c..c8c5260 100644 (file)
@@ -72,10 +72,7 @@ def _check(request, function):
     owner = user = password = None
     negotiate_success = False
 
-    if request._resource:
-        owner = request._resource.owner
-    elif request._collection:
-        owner = request._collection.owner
+    entity = request._resource or request._collection or None
 
     authorization = request.headers.get("Authorization", None)
     if authorization:
@@ -84,7 +81,7 @@ def _check(request, function):
             plain = request._decode(base64.b64decode(challenge))
             user, password = plain.split(":")
         elif negotiate.enabled():
-            user, negotiate_success = negotiate.try_aaa(authorization, request, owner)
+            user, negotiate_success = negotiate.try_aaa(authorization, request, entity)
 
     client_info = dict([
         (name, request.headers.get(name)) for name in
@@ -96,7 +93,7 @@ def _check(request, function):
 
     # Also send UNAUTHORIZED if there's no collection. Otherwise one
     # could probe the server for (non-)existing collections.
-    if has_right(owner) or negotiate_success:
+    if has_right(entity) or negotiate_success:
         function(request, context={
             "user": user,
             "client_info": client_info,
index 89e5ba5..fb5fea0 100644 (file)
@@ -57,13 +57,13 @@ def _sha1(hash_value, password):
     return sha1.digest() == base64.b64decode(hash_value)
 
 
-def has_right(owner, user, password):
+def has_right(entity, user, password):
     """Check if ``user``/``password`` couple is valid."""
-    log.debug("owner '%s' user '%s'", owner, user)
+    log.debug("entity '%s' user '%s'", entity, user)
     for line in open(FILENAME).readlines():
         if line.strip():
             login, hash_value = line.strip().split(":", 1)
-            if login == user and (not PERSONAL or user == owner):
+            if login == user and (not PERSONAL or user == entity.owner):
                 return CHECK_PASSWORD(hash_value, password)
     return False
 
index 9a8bbca..54780a5 100644 (file)
@@ -27,10 +27,10 @@ from calypso import config
 log = logging.getLogger()
 
 
-def has_right(owner, user, password):
+def has_right(entity, user, password):
     """Check if ``user`` is valid."""
-    log.debug("owner '%s' user '%s'", owner, user)
-    if user == owner or not PERSONAL:
+    log.debug("entity '%s' user '%s'", entity, user)
+    if user == entity or not PERSONAL:
         return True
     return False
 
index 01e063c..50a9839 100644 (file)
@@ -33,10 +33,10 @@ LOG = logging.getLogger()
 SVC = config.get("acl", "pam_service")
 PERSONAL = config.getboolean("acl", "personal")
 
-def has_right(owner, user, password):
+def has_right(entity, user, password):
     """Check if ``user``/``password`` couple is valid."""
-    LOG.debug("owner %s user %s", owner, user)
-    if owner and owner != user and PERSONAL:
+    LOG.debug("entity %s user %s", entity, user)
+    if entity.owner and entity.owner != user and PERSONAL:
         return False
     def pam_conv(auth, query_list, userData):
         result = []
index 4f6b653..daed2fe 100644 (file)
@@ -21,6 +21,8 @@ class Resource(object):
 
     urlpath = None # this should be present ... implement as abstract property?
 
+    owner = None # implement the interface for acls
+
 class Principal(Resource):
     def __init__(self, username):
         self.username = username
@@ -53,7 +55,7 @@ class HomeSet(Resource):
     def propfind_children(self, depth, context):
         # FIXME ignoring depth
 
-        items = [c for c in paths.enumerate_collections() if self.is_in_set(c) and context['has_right'](c.owner)]
+        items = [c for c in paths.enumerate_collections() if self.is_in_set(c) and context['has_right'](c)]
         return super(HomeSet, self).propfind_children(depth, context) + items
 
 class AddressbookHomeSet(HomeSet):