deny create/delete for unknown CalDAV clients
authorCornelius Weiß <c.weiss@metaways.de>
Fri, 2 Oct 2015 08:39:13 +0000 (10:39 +0200)
committerPhilipp Schüle <p.schuele@metaways.de>
Mon, 12 Oct 2015 09:55:48 +0000 (11:55 +0200)
Change-Id: I6e377f54bf370c75e5eb88711f28f5014e59fd52
NOTE: before, we only denied updates which is irritation for the users
Reviewed-on: http://gerrit.tine20.com/customers/2244
Tested-by: Jenkins CI (http://ci.tine20.com/)
Reviewed-by: Philipp Schüle <p.schuele@metaways.de>
tests/tine20/Calendar/Frontend/WebDAV/ContainerTest.php
tests/tine20/Calendar/Frontend/WebDAV/EventTest.php
tine20/Calendar/Frontend/WebDAV/Event.php

index a2bb09c..2cfa166 100644 (file)
@@ -53,7 +53,10 @@ class Calendar_Frontend_WebDAV_ContainerTest extends PHPUnit_Framework_TestCase
         )));
         
         Tinebase_Container::getInstance()->addGrants($this->objects['initialContainer'], Tinebase_Acl_Rights::ACCOUNT_TYPE_GROUP, Tinebase_Core::getUser()->accountPrimaryGroup, array(Tinebase_Model_Grants::GRANT_READ));
-        
+
+        // rw cal agent
+        $_SERVER['HTTP_USER_AGENT'] = 'CalendarStore/5.0 (1127); iCal/5.0 (1535); Mac OS X/10.7.1 (11B26)';
+
         // must be defined for Calendar/Frontend/WebDAV/Event.php
         $_SERVER['REQUEST_URI'] = 'foobar';
     }
@@ -164,8 +167,6 @@ class Calendar_Frontend_WebDAV_ContainerTest extends PHPUnit_Framework_TestCase
      */
     public function testCreateFile()
     {
-        $GLOBALS['_SERVER']['HTTP_USER_AGENT'] = 'FooBar User Agent';
-        
         $vcalendarStream = $this->_getVCalendar(dirname(__FILE__) . '/../../Import/files/lightning.ics');
         
         $container = new Calendar_Frontend_WebDAV_Container($this->objects['initialContainer']);
index ebdded2..b19777e 100644 (file)
@@ -559,25 +559,50 @@ class Calendar_Frontend_WebDAV_EventTest extends Calendar_TestCase
         $this->assertEquals(1, $record->attachments->count());
         $this->assertEquals('agenda2.html', $record->attachments->getFirstRecord()->name);
     }
-    
+
     /**
-     * test updating existing event
+     * test create event from unknown client
      */
-    public function testPutEventFromGenericClient()
+    public function testCreateEventFromGenericClient()
     {
         $_SERVER['HTTP_USER_AGENT'] = 'FooBar User Agent';
-        
+
+        $this->setExpectedException('Sabre\DAV\Exception\Forbidden');
+
         $event = $this->testCreateEventWithInternalOrganizer();
-        
+    }
+
+    /**
+     * test update event from unknown client
+     */
+    public function testPutEventFromGenericClient()
+    {
+        $_SERVER['HTTP_USER_AGENT'] = 'CalendarStore/5.0 (1127); iCal/5.0 (1535); Mac OS X/10.7.1 (11B26)';
+        $event = $this->testCreateEventWithInternalOrganizer();
+
+        $this->setExpectedException('Sabre\DAV\Exception\Forbidden');
+
+        $_SERVER['HTTP_USER_AGENT'] = 'FooBar User Agent';
+        $loadedEvent = new Calendar_Frontend_WebDAV_Event($this->objects['initialContainer'], "{$event->getRecord()->getId()}.ics");
+
         $vcalendarStream = fopen(dirname(__FILE__) . '/../../Import/files/lightning.ics', 'r');
-        
+        $loadedEvent->put($vcalendarStream);
+    }
+
+    /**
+     * test delete event from unknown client
+     */
+    public function testDeleteEventFromGenericClient()
+    {
+        $_SERVER['HTTP_USER_AGENT'] = 'CalendarStore/5.0 (1127); iCal/5.0 (1535); Mac OS X/10.7.1 (11B26)';
+        $event = $this->testCreateEventWithInternalOrganizer();
+
         $this->setExpectedException('Sabre\DAV\Exception\Forbidden');
-        
-        $event->put($vcalendarStream);
-        
-        $record = $event->getRecord();
-        
-        $this->assertEquals('New Event', $record->summary);
+
+        $_SERVER['HTTP_USER_AGENT'] = 'FooBar User Agent';
+        $loadedEvent = new Calendar_Frontend_WebDAV_Event($this->objects['initialContainer'], "{$event->getRecord()->getId()}.ics");
+
+        $loadedEvent->delete();
     }
     
     public function testPutEventMultipleAlarms()
index 0f1a5d0..5946b3d 100644 (file)
@@ -120,9 +120,10 @@ class Calendar_Frontend_WebDAV_Event extends Sabre\DAV\File implements Sabre\Cal
         #Sabre\CalDAV\ICalendarUtil::validateICalendarObject($vobjectData, array('VEVENT', 'VFREEBUSY'));
         
         list($backend, $version) = Calendar_Convert_Event_VCalendar_Factory::parseUserAgent($_SERVER['HTTP_USER_AGENT']);
+        $converter = Calendar_Convert_Event_VCalendar_Factory::factory($backend, $version);
 
         try {
-            $event = Calendar_Convert_Event_VCalendar_Factory::factory($backend, $version)->toTine20Model($vobjectData);
+            $event = $converter->toTine20Model($vobjectData);
         } catch (Exception $e) {
             Tinebase_Core::getLogger()->err(__METHOD__ . '::' . __LINE__ . ' ' . $e);
             Tinebase_Core::getLogger()->err(__METHOD__ . '::' . __LINE__ . " " . $vobjectData);
@@ -169,6 +170,11 @@ class Calendar_Frontend_WebDAV_Event extends Sabre\DAV\File implements Sabre\Cal
         $existingEvent = Calendar_Controller_MSEventFacade::getInstance()->search($filter, null, false, false, 'sync')->getFirstRecord();
         
         if ($existingEvent === null) {
+            if (get_class($converter) == 'Calendar_Convert_Event_VCalendar_Generic') {
+                if (Tinebase_Core::isLogLevel(Zend_Log::WARN))
+                    Tinebase_Core::getLogger()->warn(__METHOD__ . '::' . __LINE__ . " update by generic client not allowed. See Calendar_Convert_Event_VCalendar_Factory for supported clients.");
+                throw new Sabre\DAV\Exception\Forbidden('write access denied for unknown client');
+            }
             try {
                 $event = Calendar_Controller_MSEventFacade::getInstance()->create($event);
                 
@@ -231,6 +237,12 @@ class Calendar_Frontend_WebDAV_Event extends Sabre\DAV\File implements Sabre\Cal
      */
     public function delete() 
     {
+        if (get_class($this->_getConverter()) == 'Calendar_Convert_Event_VCalendar_Generic') {
+            if (Tinebase_Core::isLogLevel(Zend_Log::WARN))
+                Tinebase_Core::getLogger()->warn(__METHOD__ . '::' . __LINE__ . " update by generic client not allowed. See Calendar_Convert_Event_VCalendar_Factory for supported clients.");
+            throw new Sabre\DAV\Exception\Forbidden('write access denied for unknown client');
+        }
+
         // when a move occurs, thunderbird first sends to delete command and immediately a put command
         // we must delay the delete command, otherwise the put command fails
         sleep(5);
@@ -245,7 +257,7 @@ class Calendar_Frontend_WebDAV_Event extends Sabre\DAV\File implements Sabre\Cal
                 Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . " deleting events in the past is not allowed via CalDAV");
             return;
         }
-        
+
         // allow delete only if deleted in origin calendar
         if ($event->container_id == $this->_container->getId()) {
             if (strpos($_SERVER['REQUEST_URI'], Calendar_Frontend_CalDAV_ScheduleInbox::NAME) === false) {
@@ -417,7 +429,7 @@ class Calendar_Frontend_WebDAV_Event extends Sabre\DAV\File implements Sabre\Cal
         if (get_class($this->_getConverter()) == 'Calendar_Convert_Event_VCalendar_Generic') {
             if (Tinebase_Core::isLogLevel(Zend_Log::WARN)) 
                 Tinebase_Core::getLogger()->warn(__METHOD__ . '::' . __LINE__ . " update by generic client not allowed. See Calendar_Convert_Event_VCalendar_Factory for supported clients.");
-            throw new Sabre\DAV\Exception\Forbidden('Update denied for unknown client');
+            throw new Sabre\DAV\Exception\Forbidden('write access denied for unknown client');
         }
 
         $this->_vevent = null;