def defaultAccessControlList(self):
privs = (
davxml.Privilege(davxml.Read()),
davxml.Privilege(caldavxml.ScheduleDeliver()),
)
if config.Scheduling.CalDAV.OldDraftCompatibility:
privs += (davxml.Privilege(caldavxml.Schedule()),)
aces = (
# DAV:Read, CalDAV:schedule-deliver for all principals (does not include anonymous)
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(*privs),
davxml.Protected(),
),
)
if config.FreeBusyURL.AnonymousAccess:
aces += (
# DAV:Read, for unauthenticated principals
davxml.ACE(
davxml.Principal(davxml.Unauthenticated()),
davxml.Grant(
davxml.Privilege(davxml.Read()),
),
davxml.Protected(),
),
)
return succeed(davxml.ACL(*aces))
def defaultAccessControlList(self):
return succeed(
davxml.ACL(
# DAV:Read for authenticated principals
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(davxml.Privilege(davxml.Read()), ),
davxml.Protected(),
),
# DAV:Write for authenticated principals
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(davxml.Privilege(davxml.Write()), ),
davxml.Protected(),
),
))
def defaultAccessControlList(self):
aces = (
# DAV:read access for authenticated users.
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(davxml.Privilege(davxml.Read())),
),
# Inheritable DAV:all access for the resource's associated principal.
davxml.ACE(
davxml.Principal(davxml.HRef(self.parent.principalURL())),
davxml.Grant(davxml.Privilege(davxml.WriteProperties())),
davxml.Protected(),
),
)
# Add admins
aces += tuple((
davxml.ACE(
davxml.Principal(davxml.HRef(principal)),
davxml.Grant(davxml.Privilege(davxml.All())),
davxml.Protected(),
)
for principal in config.AdminPrincipals
))
return succeed(davxml.ACL(*aces))
def defaultAccessControlList(self):
return succeed(
davxml.ACL(
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(davxml.Privilege(davxml.Read()), ),
davxml.Protected(),
TwistedACLInheritable(),
), ))
class AuthAllResource(TestResource):
"""
Give Authenticated principals all privileges and deny everyone else.
"""
acl = davxml.ACL(
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(davxml.Privilege(davxml.All())),
davxml.Protected(),
))
def defaultAccessControlList(self):
privs = (davxml.Privilege(caldavxml.ScheduleDeliver()), )
if config.Scheduling.CalDAV.OldDraftCompatibility:
privs += (davxml.Privilege(caldavxml.Schedule()), )
return succeed(
davxml.ACL(
# CalDAV:schedule-deliver for any authenticated user
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(*privs),
), ))
class SimpleResource(
CalDAVResource, ):
allReadACL = davxml.ACL(
# Read access for all users.
davxml.ACE(
davxml.Principal(davxml.All()),
davxml.Grant(davxml.Privilege(davxml.Read())),
davxml.Protected(),
), )
authReadACL = davxml.ACL(
# Read access for authenticated users.
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(davxml.Privilege(davxml.Read())),
davxml.Protected(),
), )
def __init__(self,
principalCollections,
isdir=False,
defaultACL=authReadACL):
"""
Make sure it is a collection.
"""
CalDAVResource.__init__(self,
principalCollections=principalCollections)
self._isDir = isdir
self.defaultACL = defaultACL
def isCollection(self):
return self._isDir
def deadProperties(self):
if not hasattr(self, "_dead_properties"):
self._dead_properties = NonePropertyStore(self)
return self._dead_properties
def etag(self):
return succeed(None)
def accessControlList(self,
request,
inheritance=True,
expanding=False,
inherited_aces=None):
return succeed(self.defaultACL)
def defaultAccessControlList(self):
if config.AnonymousDirectoryAddressBookAccess:
# DAV:Read for all principals (includes anonymous)
accessPrincipal = davxml.All()
else:
# DAV:Read for all authenticated principals (does not include anonymous)
accessPrincipal = davxml.Authenticated()
return succeed(
davxml.ACL(
davxml.ACE(
davxml.Principal(accessPrincipal),
davxml.Grant(
davxml.Privilege(davxml.Read()),
davxml.Privilege(
davxml.ReadCurrentUserPrivilegeSet())),
davxml.Protected(),
TwistedACLInheritable(),
), ))
"calendar-proxy-write-for",
):
# name is required to be str
from twistedcaldav.directory.calendaruserproxy import (
CalendarUserProxyPrincipalResource)
return succeed(CalendarUserProxyPrincipalResource(self, str(name)))
else:
return succeed(None)
def listChildren(self):
if config.EnableProxyPrincipals:
return (
"calendar-proxy-read",
"calendar-proxy-write",
)
else:
return ()
##
# Utilities
##
authReadACL = davxml.ACL(
# Read access for authenticated users.
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(davxml.Privilege(davxml.Read())),
davxml.Protected(),
), )
def shareeAccessControlList(self, request, *args, **kwargs):
"""
Return WebDAV ACLs appropriate for the current user accessing the
shared collection. For an "invite" share we take the privilege granted
to the sharee in the invite and map that to WebDAV ACLs. For a
"direct" share, if it is a wiki collection we map the wiki privileges
into WebDAV ACLs, otherwise we use whatever privileges exist on the
underlying shared collection.
@param request: the request used to locate the owner resource.
@type request: L{txweb2.iweb.IRequest}
@param args: The arguments for
L{txweb2.dav.idav.IDAVResource.accessControlList}
@param kwargs: The keyword arguments for
L{txweb2.dav.idav.IDAVResource.accessControlList}, plus
keyword-only arguments.
@return: the appropriate WebDAV ACL for the sharee
@rtype: L{davxml.ACL}
"""
assert self._isShareeResource, "Only call this for a sharee resource"
assert self.isCalendarCollection() or self.isAddressBookCollection(
), "Only call this for a address book or calendar resource"
sharee = yield self.principalForUID(
self._newStoreObject.viewerHome().uid())
access = yield self._checkAccessControl()
if access == "original" and not self._newStoreObject.ownerHome(
).external():
original = (yield request.locateResource(self._share_url))
result = (yield original.accessControlList(request, *args,
**kwargs))
returnValue(result)
# Direct shares use underlying privileges of shared collection
userprivs = []
if access in (
"read-only",
"read-write",
):
userprivs.append(element.Privilege(element.Read()))
userprivs.append(element.Privilege(element.ReadACL()))
userprivs.append(
element.Privilege(element.ReadCurrentUserPrivilegeSet()))
if access in ("read-only", ):
userprivs.append(element.Privilege(element.WriteProperties()))
if access in ("read-write", ):
userprivs.append(element.Privilege(element.Write()))
proxyprivs = list(userprivs)
try:
proxyprivs.remove(element.Privilege(element.ReadACL()))
except ValueError:
# If wiki says no-access then ReadACL won't be in the list
pass
aces = (
# Inheritable specific access for the resource's associated principal.
element.ACE(
element.Principal(element.HRef(sharee.principalURL())),
element.Grant(*userprivs),
element.Protected(),
TwistedACLInheritable(),
), )
if self.isCalendarCollection():
aces += (
# Inheritable CALDAV:read-free-busy access for authenticated users.
element.ACE(
element.Principal(element.Authenticated()),
element.Grant(element.Privilege(caldavxml.ReadFreeBusy())),
TwistedACLInheritable(),
), )
# Give read access to config.ReadPrincipals
aces += config.ReadACEs
# Give all access to config.AdminPrincipals
aces += config.AdminACEs
if self.isCalendarCollection() and config.EnableProxyPrincipals:
aces += (
# DAV:read/DAV:read-current-user-privilege-set access for this principal's calendar-proxy-read users.
element.ACE(
element.Principal(
element.HRef(
joinURL(sharee.principalURL(),
"calendar-proxy-read/"))),
element.Grant(
element.Privilege(element.Read()),
element.Privilege(
element.ReadCurrentUserPrivilegeSet()),
element.Privilege(element.WriteProperties()),
),
element.Protected(),
TwistedACLInheritable(),
),
# DAV:read/DAV:read-current-user-privilege-set/DAV:write access for this principal's calendar-proxy-write users.
element.ACE(
element.Principal(
element.HRef(
joinURL(sharee.principalURL(),
"calendar-proxy-write/"))),
element.Grant(*proxyprivs),
element.Protected(),
TwistedACLInheritable(),
),
)
returnValue(element.ACL(*aces))
