1403 lines
43 KiB
PHP
1403 lines
43 KiB
PHP
<?php
|
|
|
|
namespace Sabre\DAVACL;
|
|
use Sabre\DAV;
|
|
|
|
/**
|
|
* SabreDAV ACL Plugin
|
|
*
|
|
* This plugin provides functionality to enforce ACL permissions.
|
|
* ACL is defined in RFC3744.
|
|
*
|
|
* In addition it also provides support for the {DAV:}current-user-principal
|
|
* property, defined in RFC5397 and the {DAV:}expand-property report, as
|
|
* defined in RFC3253.
|
|
*
|
|
* @copyright Copyright (C) 2007-2015 fruux GmbH (https://fruux.com/).
|
|
* @author Evert Pot (http://evertpot.com/)
|
|
* @license http://sabre.io/license/ Modified BSD License
|
|
*/
|
|
class Plugin extends DAV\ServerPlugin {
|
|
|
|
/**
|
|
* Recursion constants
|
|
*
|
|
* This only checks the base node
|
|
*/
|
|
const R_PARENT = 1;
|
|
|
|
/**
|
|
* Recursion constants
|
|
*
|
|
* This checks every node in the tree
|
|
*/
|
|
const R_RECURSIVE = 2;
|
|
|
|
/**
|
|
* Recursion constants
|
|
*
|
|
* This checks every parentnode in the tree, but not leaf-nodes.
|
|
*/
|
|
const R_RECURSIVEPARENTS = 3;
|
|
|
|
/**
|
|
* Reference to server object.
|
|
*
|
|
* @var Sabre\DAV\Server
|
|
*/
|
|
protected $server;
|
|
|
|
/**
|
|
* List of urls containing principal collections.
|
|
* Modify this if your principals are located elsewhere.
|
|
*
|
|
* @var array
|
|
*/
|
|
public $principalCollectionSet = array(
|
|
'principals',
|
|
);
|
|
|
|
/**
|
|
* By default ACL is only enforced for nodes that have ACL support (the
|
|
* ones that implement IACL). For any other node, access is
|
|
* always granted.
|
|
*
|
|
* To override this behaviour you can turn this setting off. This is useful
|
|
* if you plan to fully support ACL in the entire tree.
|
|
*
|
|
* @var bool
|
|
*/
|
|
public $allowAccessToNodesWithoutACL = true;
|
|
|
|
/**
|
|
* By default nodes that are inaccessible by the user, can still be seen
|
|
* in directory listings (PROPFIND on parent with Depth: 1)
|
|
*
|
|
* In certain cases it's desirable to hide inaccessible nodes. Setting this
|
|
* to true will cause these nodes to be hidden from directory listings.
|
|
*
|
|
* @var bool
|
|
*/
|
|
public $hideNodesFromListings = false;
|
|
|
|
/**
|
|
* This string is prepended to the username of the currently logged in
|
|
* user. This allows the plugin to determine the principal path based on
|
|
* the username.
|
|
*
|
|
* @var string
|
|
*/
|
|
public $defaultUsernamePath = 'principals';
|
|
|
|
/**
|
|
* This list of properties are the properties a client can search on using
|
|
* the {DAV:}principal-property-search report.
|
|
*
|
|
* The keys are the property names, values are descriptions.
|
|
*
|
|
* @var array
|
|
*/
|
|
public $principalSearchPropertySet = array(
|
|
'{DAV:}displayname' => 'Display name',
|
|
'{http://sabredav.org/ns}email-address' => 'Email address',
|
|
);
|
|
|
|
/**
|
|
* Any principal uri's added here, will automatically be added to the list
|
|
* of ACL's. They will effectively receive {DAV:}all privileges, as a
|
|
* protected privilege.
|
|
*
|
|
* @var array
|
|
*/
|
|
public $adminPrincipals = array();
|
|
|
|
/**
|
|
* Returns a list of features added by this plugin.
|
|
*
|
|
* This list is used in the response of a HTTP OPTIONS request.
|
|
*
|
|
* @return array
|
|
*/
|
|
public function getFeatures() {
|
|
|
|
return array('access-control', 'calendarserver-principal-property-search');
|
|
|
|
}
|
|
|
|
/**
|
|
* Returns a list of available methods for a given url
|
|
*
|
|
* @param string $uri
|
|
* @return array
|
|
*/
|
|
public function getMethods($uri) {
|
|
|
|
return array('ACL');
|
|
|
|
}
|
|
|
|
/**
|
|
* Returns a plugin name.
|
|
*
|
|
* Using this name other plugins will be able to access other plugins
|
|
* using Sabre\DAV\Server::getPlugin
|
|
*
|
|
* @return string
|
|
*/
|
|
public function getPluginName() {
|
|
|
|
return 'acl';
|
|
|
|
}
|
|
|
|
/**
|
|
* Returns a list of reports this plugin supports.
|
|
*
|
|
* This will be used in the {DAV:}supported-report-set property.
|
|
* Note that you still need to subscribe to the 'report' event to actually
|
|
* implement them
|
|
*
|
|
* @param string $uri
|
|
* @return array
|
|
*/
|
|
public function getSupportedReportSet($uri) {
|
|
|
|
return array(
|
|
'{DAV:}expand-property',
|
|
'{DAV:}principal-property-search',
|
|
'{DAV:}principal-search-property-set',
|
|
);
|
|
|
|
}
|
|
|
|
|
|
/**
|
|
* Checks if the current user has the specified privilege(s).
|
|
*
|
|
* You can specify a single privilege, or a list of privileges.
|
|
* This method will throw an exception if the privilege is not available
|
|
* and return true otherwise.
|
|
*
|
|
* @param string $uri
|
|
* @param array|string $privileges
|
|
* @param int $recursion
|
|
* @param bool $throwExceptions if set to false, this method won't throw exceptions.
|
|
* @throws Sabre\DAVACL\Exception\NeedPrivileges
|
|
* @return bool
|
|
*/
|
|
public function checkPrivileges($uri, $privileges, $recursion = self::R_PARENT, $throwExceptions = true) {
|
|
|
|
if (!is_array($privileges)) $privileges = array($privileges);
|
|
|
|
$acl = $this->getCurrentUserPrivilegeSet($uri);
|
|
|
|
if (is_null($acl)) {
|
|
if ($this->allowAccessToNodesWithoutACL) {
|
|
return true;
|
|
} else {
|
|
if ($throwExceptions)
|
|
throw new Exception\NeedPrivileges($uri,$privileges);
|
|
else
|
|
return false;
|
|
|
|
}
|
|
}
|
|
|
|
$failed = array();
|
|
foreach($privileges as $priv) {
|
|
|
|
if (!in_array($priv, $acl)) {
|
|
$failed[] = $priv;
|
|
}
|
|
|
|
}
|
|
|
|
if ($failed) {
|
|
if ($throwExceptions)
|
|
throw new Exception\NeedPrivileges($uri,$failed);
|
|
else
|
|
return false;
|
|
}
|
|
return true;
|
|
|
|
}
|
|
|
|
/**
|
|
* Returns the standard users' principal.
|
|
*
|
|
* This is one authorative principal url for the current user.
|
|
* This method will return null if the user wasn't logged in.
|
|
*
|
|
* @return string|null
|
|
*/
|
|
public function getCurrentUserPrincipal() {
|
|
|
|
$authPlugin = $this->server->getPlugin('auth');
|
|
if (is_null($authPlugin)) return null;
|
|
/** @var $authPlugin Sabre\DAV\Auth\Plugin */
|
|
|
|
$userName = $authPlugin->getCurrentUser();
|
|
if (!$userName) return null;
|
|
|
|
return $this->defaultUsernamePath . '/' . $userName;
|
|
|
|
}
|
|
|
|
|
|
/**
|
|
* Returns a list of principals that's associated to the current
|
|
* user, either directly or through group membership.
|
|
*
|
|
* @return array
|
|
*/
|
|
public function getCurrentUserPrincipals() {
|
|
|
|
$currentUser = $this->getCurrentUserPrincipal();
|
|
|
|
if (is_null($currentUser)) return array();
|
|
|
|
return array_merge(
|
|
array($currentUser),
|
|
$this->getPrincipalMembership($currentUser)
|
|
);
|
|
|
|
}
|
|
|
|
/**
|
|
* This array holds a cache for all the principals that are associated with
|
|
* a single principal.
|
|
*
|
|
* @var array
|
|
*/
|
|
protected $principalMembershipCache = array();
|
|
|
|
|
|
/**
|
|
* Returns all the principal groups the specified principal is a member of.
|
|
*
|
|
* @param string $principal
|
|
* @return array
|
|
*/
|
|
public function getPrincipalMembership($mainPrincipal) {
|
|
|
|
// First check our cache
|
|
if (isset($this->principalMembershipCache[$mainPrincipal])) {
|
|
return $this->principalMembershipCache[$mainPrincipal];
|
|
}
|
|
|
|
$check = array($mainPrincipal);
|
|
$principals = array();
|
|
|
|
while(count($check)) {
|
|
|
|
$principal = array_shift($check);
|
|
|
|
$node = $this->server->tree->getNodeForPath($principal);
|
|
if ($node instanceof IPrincipal) {
|
|
foreach($node->getGroupMembership() as $groupMember) {
|
|
|
|
if (!in_array($groupMember, $principals)) {
|
|
|
|
$check[] = $groupMember;
|
|
$principals[] = $groupMember;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// Store the result in the cache
|
|
$this->principalMembershipCache[$mainPrincipal] = $principals;
|
|
|
|
return $principals;
|
|
|
|
}
|
|
|
|
/**
|
|
* Returns the supported privilege structure for this ACL plugin.
|
|
*
|
|
* See RFC3744 for more details. Currently we default on a simple,
|
|
* standard structure.
|
|
*
|
|
* You can either get the list of privileges by a uri (path) or by
|
|
* specifying a Node.
|
|
*
|
|
* @param string|DAV\INode $node
|
|
* @return array
|
|
*/
|
|
public function getSupportedPrivilegeSet($node) {
|
|
|
|
if (is_string($node)) {
|
|
$node = $this->server->tree->getNodeForPath($node);
|
|
}
|
|
|
|
if ($node instanceof IACL) {
|
|
$result = $node->getSupportedPrivilegeSet();
|
|
|
|
if ($result)
|
|
return $result;
|
|
}
|
|
|
|
return self::getDefaultSupportedPrivilegeSet();
|
|
|
|
}
|
|
|
|
/**
|
|
* Returns a fairly standard set of privileges, which may be useful for
|
|
* other systems to use as a basis.
|
|
*
|
|
* @return array
|
|
*/
|
|
static function getDefaultSupportedPrivilegeSet() {
|
|
|
|
return array(
|
|
'privilege' => '{DAV:}all',
|
|
'abstract' => true,
|
|
'aggregates' => array(
|
|
array(
|
|
'privilege' => '{DAV:}read',
|
|
'aggregates' => array(
|
|
array(
|
|
'privilege' => '{DAV:}read-acl',
|
|
'abstract' => true,
|
|
),
|
|
array(
|
|
'privilege' => '{DAV:}read-current-user-privilege-set',
|
|
'abstract' => true,
|
|
),
|
|
),
|
|
), // {DAV:}read
|
|
array(
|
|
'privilege' => '{DAV:}write',
|
|
'aggregates' => array(
|
|
array(
|
|
'privilege' => '{DAV:}write-acl',
|
|
'abstract' => true,
|
|
),
|
|
array(
|
|
'privilege' => '{DAV:}write-properties',
|
|
'abstract' => true,
|
|
),
|
|
array(
|
|
'privilege' => '{DAV:}write-content',
|
|
'abstract' => true,
|
|
),
|
|
array(
|
|
'privilege' => '{DAV:}bind',
|
|
'abstract' => true,
|
|
),
|
|
array(
|
|
'privilege' => '{DAV:}unbind',
|
|
'abstract' => true,
|
|
),
|
|
array(
|
|
'privilege' => '{DAV:}unlock',
|
|
'abstract' => true,
|
|
),
|
|
),
|
|
), // {DAV:}write
|
|
),
|
|
); // {DAV:}all
|
|
|
|
}
|
|
|
|
/**
|
|
* Returns the supported privilege set as a flat list
|
|
*
|
|
* This is much easier to parse.
|
|
*
|
|
* The returned list will be index by privilege name.
|
|
* The value is a struct containing the following properties:
|
|
* - aggregates
|
|
* - abstract
|
|
* - concrete
|
|
*
|
|
* @param string|DAV\INode $node
|
|
* @return array
|
|
*/
|
|
final public function getFlatPrivilegeSet($node) {
|
|
|
|
$privs = $this->getSupportedPrivilegeSet($node);
|
|
|
|
$flat = array();
|
|
$this->getFPSTraverse($privs, null, $flat);
|
|
|
|
return $flat;
|
|
|
|
}
|
|
|
|
/**
|
|
* Traverses the privilege set tree for reordering
|
|
*
|
|
* This function is solely used by getFlatPrivilegeSet, and would have been
|
|
* a closure if it wasn't for the fact I need to support PHP 5.2.
|
|
*
|
|
* @param array $priv
|
|
* @param $concrete
|
|
* @param array $flat
|
|
* @return void
|
|
*/
|
|
final private function getFPSTraverse($priv, $concrete, &$flat) {
|
|
|
|
$myPriv = array(
|
|
'privilege' => $priv['privilege'],
|
|
'abstract' => isset($priv['abstract']) && $priv['abstract'],
|
|
'aggregates' => array(),
|
|
'concrete' => isset($priv['abstract']) && $priv['abstract']?$concrete:$priv['privilege'],
|
|
);
|
|
|
|
if (isset($priv['aggregates']))
|
|
foreach($priv['aggregates'] as $subPriv) $myPriv['aggregates'][] = $subPriv['privilege'];
|
|
|
|
$flat[$priv['privilege']] = $myPriv;
|
|
|
|
if (isset($priv['aggregates'])) {
|
|
|
|
foreach($priv['aggregates'] as $subPriv) {
|
|
|
|
$this->getFPSTraverse($subPriv, $myPriv['concrete'], $flat);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
* Returns the full ACL list.
|
|
*
|
|
* Either a uri or a DAV\INode may be passed.
|
|
*
|
|
* null will be returned if the node doesn't support ACLs.
|
|
*
|
|
* @param string|DAV\INode $node
|
|
* @return array
|
|
*/
|
|
public function getACL($node) {
|
|
|
|
if (is_string($node)) {
|
|
$node = $this->server->tree->getNodeForPath($node);
|
|
}
|
|
if (!$node instanceof IACL) {
|
|
return null;
|
|
}
|
|
$acl = $node->getACL();
|
|
foreach($this->adminPrincipals as $adminPrincipal) {
|
|
$acl[] = array(
|
|
'principal' => $adminPrincipal,
|
|
'privilege' => '{DAV:}all',
|
|
'protected' => true,
|
|
);
|
|
}
|
|
return $acl;
|
|
|
|
}
|
|
|
|
/**
|
|
* Returns a list of privileges the current user has
|
|
* on a particular node.
|
|
*
|
|
* Either a uri or a DAV\INode may be passed.
|
|
*
|
|
* null will be returned if the node doesn't support ACLs.
|
|
*
|
|
* @param string|DAV\INode $node
|
|
* @return array
|
|
*/
|
|
public function getCurrentUserPrivilegeSet($node) {
|
|
|
|
if (is_string($node)) {
|
|
$node = $this->server->tree->getNodeForPath($node);
|
|
}
|
|
|
|
$acl = $this->getACL($node);
|
|
|
|
if (is_null($acl)) return null;
|
|
|
|
$principals = $this->getCurrentUserPrincipals();
|
|
|
|
$collected = array();
|
|
|
|
foreach($acl as $ace) {
|
|
|
|
$principal = $ace['principal'];
|
|
|
|
switch($principal) {
|
|
|
|
case '{DAV:}owner' :
|
|
$owner = $node->getOwner();
|
|
if ($owner && in_array($owner, $principals)) {
|
|
$collected[] = $ace;
|
|
}
|
|
break;
|
|
|
|
|
|
// 'all' matches for every user
|
|
case '{DAV:}all' :
|
|
|
|
// 'authenticated' matched for every user that's logged in.
|
|
// Since it's not possible to use ACL while not being logged
|
|
// in, this is also always true.
|
|
case '{DAV:}authenticated' :
|
|
$collected[] = $ace;
|
|
break;
|
|
|
|
// 'unauthenticated' can never occur either, so we simply
|
|
// ignore these.
|
|
case '{DAV:}unauthenticated' :
|
|
break;
|
|
|
|
default :
|
|
if (in_array($ace['principal'], $principals)) {
|
|
$collected[] = $ace;
|
|
}
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
// Now we deduct all aggregated privileges.
|
|
$flat = $this->getFlatPrivilegeSet($node);
|
|
|
|
$collected2 = array();
|
|
while(count($collected)) {
|
|
|
|
$current = array_pop($collected);
|
|
$collected2[] = $current['privilege'];
|
|
|
|
foreach($flat[$current['privilege']]['aggregates'] as $subPriv) {
|
|
$collected2[] = $subPriv;
|
|
$collected[] = $flat[$subPriv];
|
|
}
|
|
|
|
}
|
|
|
|
return array_values(array_unique($collected2));
|
|
|
|
}
|
|
|
|
/**
|
|
* Principal property search
|
|
*
|
|
* This method can search for principals matching certain values in
|
|
* properties.
|
|
*
|
|
* This method will return a list of properties for the matched properties.
|
|
*
|
|
* @param array $searchProperties The properties to search on. This is a
|
|
* key-value list. The keys are property
|
|
* names, and the values the strings to
|
|
* match them on.
|
|
* @param array $requestedProperties This is the list of properties to
|
|
* return for every match.
|
|
* @param string $collectionUri The principal collection to search on.
|
|
* If this is ommitted, the standard
|
|
* principal collection-set will be used.
|
|
* @return array This method returns an array structure similar to
|
|
* Sabre\DAV\Server::getPropertiesForPath. Returned
|
|
* properties are index by a HTTP status code.
|
|
*
|
|
*/
|
|
public function principalSearch(array $searchProperties, array $requestedProperties, $collectionUri = null) {
|
|
|
|
if (!is_null($collectionUri)) {
|
|
$uris = array($collectionUri);
|
|
} else {
|
|
$uris = $this->principalCollectionSet;
|
|
}
|
|
|
|
$lookupResults = array();
|
|
foreach($uris as $uri) {
|
|
|
|
$principalCollection = $this->server->tree->getNodeForPath($uri);
|
|
if (!$principalCollection instanceof IPrincipalCollection) {
|
|
// Not a principal collection, we're simply going to ignore
|
|
// this.
|
|
continue;
|
|
}
|
|
|
|
$results = $principalCollection->searchPrincipals($searchProperties);
|
|
foreach($results as $result) {
|
|
$lookupResults[] = rtrim($uri,'/') . '/' . $result;
|
|
}
|
|
|
|
}
|
|
|
|
$matches = array();
|
|
|
|
foreach($lookupResults as $lookupResult) {
|
|
|
|
list($matches[]) = $this->server->getPropertiesForPath($lookupResult, $requestedProperties, 0);
|
|
|
|
}
|
|
|
|
return $matches;
|
|
|
|
}
|
|
|
|
/**
|
|
* Sets up the plugin
|
|
*
|
|
* This method is automatically called by the server class.
|
|
*
|
|
* @param DAV\Server $server
|
|
* @return void
|
|
*/
|
|
public function initialize(DAV\Server $server) {
|
|
|
|
$this->server = $server;
|
|
$server->subscribeEvent('beforeGetProperties',array($this,'beforeGetProperties'));
|
|
|
|
$server->subscribeEvent('beforeMethod', array($this,'beforeMethod'),20);
|
|
$server->subscribeEvent('beforeBind', array($this,'beforeBind'),20);
|
|
$server->subscribeEvent('beforeUnbind', array($this,'beforeUnbind'),20);
|
|
$server->subscribeEvent('updateProperties',array($this,'updateProperties'));
|
|
$server->subscribeEvent('beforeUnlock', array($this,'beforeUnlock'),20);
|
|
$server->subscribeEvent('report',array($this,'report'));
|
|
$server->subscribeEvent('unknownMethod', array($this, 'unknownMethod'));
|
|
|
|
array_push($server->protectedProperties,
|
|
'{DAV:}alternate-URI-set',
|
|
'{DAV:}principal-URL',
|
|
'{DAV:}group-membership',
|
|
'{DAV:}principal-collection-set',
|
|
'{DAV:}current-user-principal',
|
|
'{DAV:}supported-privilege-set',
|
|
'{DAV:}current-user-privilege-set',
|
|
'{DAV:}acl',
|
|
'{DAV:}acl-restrictions',
|
|
'{DAV:}inherited-acl-set',
|
|
'{DAV:}owner',
|
|
'{DAV:}group'
|
|
);
|
|
|
|
// Automatically mapping nodes implementing IPrincipal to the
|
|
// {DAV:}principal resourcetype.
|
|
$server->resourceTypeMapping['Sabre\\DAVACL\\IPrincipal'] = '{DAV:}principal';
|
|
|
|
// Mapping the group-member-set property to the HrefList property
|
|
// class.
|
|
$server->propertyMap['{DAV:}group-member-set'] = 'Sabre\\DAV\\Property\\HrefList';
|
|
|
|
}
|
|
|
|
|
|
/* {{{ Event handlers */
|
|
|
|
/**
|
|
* Triggered before any method is handled
|
|
*
|
|
* @param string $method
|
|
* @param string $uri
|
|
* @return void
|
|
*/
|
|
public function beforeMethod($method, $uri) {
|
|
|
|
$exists = $this->server->tree->nodeExists($uri);
|
|
|
|
// If the node doesn't exists, none of these checks apply
|
|
if (!$exists) return;
|
|
|
|
switch($method) {
|
|
|
|
case 'GET' :
|
|
case 'HEAD' :
|
|
case 'OPTIONS' :
|
|
// For these 3 we only need to know if the node is readable.
|
|
$this->checkPrivileges($uri,'{DAV:}read');
|
|
break;
|
|
|
|
case 'PUT' :
|
|
case 'LOCK' :
|
|
case 'UNLOCK' :
|
|
// This method requires the write-content priv if the node
|
|
// already exists, and bind on the parent if the node is being
|
|
// created.
|
|
// The bind privilege is handled in the beforeBind event.
|
|
$this->checkPrivileges($uri,'{DAV:}write-content');
|
|
break;
|
|
|
|
|
|
case 'PROPPATCH' :
|
|
$this->checkPrivileges($uri,'{DAV:}write-properties');
|
|
break;
|
|
|
|
case 'ACL' :
|
|
$this->checkPrivileges($uri,'{DAV:}write-acl');
|
|
break;
|
|
|
|
case 'COPY' :
|
|
case 'MOVE' :
|
|
// Copy requires read privileges on the entire source tree.
|
|
// If the target exists write-content normally needs to be
|
|
// checked, however, we're deleting the node beforehand and
|
|
// creating a new one after, so this is handled by the
|
|
// beforeUnbind event.
|
|
//
|
|
// The creation of the new node is handled by the beforeBind
|
|
// event.
|
|
//
|
|
// If MOVE is used beforeUnbind will also be used to check if
|
|
// the sourcenode can be deleted.
|
|
$this->checkPrivileges($uri,'{DAV:}read',self::R_RECURSIVE);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
* Triggered before a new node is created.
|
|
*
|
|
* This allows us to check permissions for any operation that creates a
|
|
* new node, such as PUT, MKCOL, MKCALENDAR, LOCK, COPY and MOVE.
|
|
*
|
|
* @param string $uri
|
|
* @return void
|
|
*/
|
|
public function beforeBind($uri) {
|
|
|
|
list($parentUri,$nodeName) = DAV\URLUtil::splitPath($uri);
|
|
$this->checkPrivileges($parentUri,'{DAV:}bind');
|
|
|
|
}
|
|
|
|
/**
|
|
* Triggered before a node is deleted
|
|
*
|
|
* This allows us to check permissions for any operation that will delete
|
|
* an existing node.
|
|
*
|
|
* @param string $uri
|
|
* @return void
|
|
*/
|
|
public function beforeUnbind($uri) {
|
|
|
|
list($parentUri,$nodeName) = DAV\URLUtil::splitPath($uri);
|
|
$this->checkPrivileges($parentUri,'{DAV:}unbind',self::R_RECURSIVEPARENTS);
|
|
|
|
}
|
|
|
|
/**
|
|
* Triggered before a node is unlocked.
|
|
*
|
|
* @param string $uri
|
|
* @param DAV\Locks\LockInfo $lock
|
|
* @TODO: not yet implemented
|
|
* @return void
|
|
*/
|
|
public function beforeUnlock($uri, DAV\Locks\LockInfo $lock) {
|
|
|
|
|
|
}
|
|
|
|
/**
|
|
* Triggered before properties are looked up in specific nodes.
|
|
*
|
|
* @param string $uri
|
|
* @param DAV\INode $node
|
|
* @param array $requestedProperties
|
|
* @param array $returnedProperties
|
|
* @TODO really should be broken into multiple methods, or even a class.
|
|
* @return bool
|
|
*/
|
|
public function beforeGetProperties($uri, DAV\INode $node, &$requestedProperties, &$returnedProperties) {
|
|
|
|
// Checking the read permission
|
|
if (!$this->checkPrivileges($uri,'{DAV:}read',self::R_PARENT,false)) {
|
|
|
|
// User is not allowed to read properties
|
|
if ($this->hideNodesFromListings) {
|
|
return false;
|
|
}
|
|
|
|
// Marking all requested properties as '403'.
|
|
foreach($requestedProperties as $key=>$requestedProperty) {
|
|
unset($requestedProperties[$key]);
|
|
$returnedProperties[403][$requestedProperty] = null;
|
|
}
|
|
return;
|
|
|
|
}
|
|
|
|
/* Adding principal properties */
|
|
if ($node instanceof IPrincipal) {
|
|
|
|
if (false !== ($index = array_search('{DAV:}alternate-URI-set', $requestedProperties))) {
|
|
|
|
unset($requestedProperties[$index]);
|
|
$returnedProperties[200]['{DAV:}alternate-URI-set'] = new DAV\Property\HrefList($node->getAlternateUriSet());
|
|
|
|
}
|
|
if (false !== ($index = array_search('{DAV:}principal-URL', $requestedProperties))) {
|
|
|
|
unset($requestedProperties[$index]);
|
|
$returnedProperties[200]['{DAV:}principal-URL'] = new DAV\Property\Href($node->getPrincipalUrl() . '/');
|
|
|
|
}
|
|
if (false !== ($index = array_search('{DAV:}group-member-set', $requestedProperties))) {
|
|
|
|
unset($requestedProperties[$index]);
|
|
$returnedProperties[200]['{DAV:}group-member-set'] = new DAV\Property\HrefList($node->getGroupMemberSet());
|
|
|
|
}
|
|
if (false !== ($index = array_search('{DAV:}group-membership', $requestedProperties))) {
|
|
|
|
unset($requestedProperties[$index]);
|
|
$returnedProperties[200]['{DAV:}group-membership'] = new DAV\Property\HrefList($node->getGroupMembership());
|
|
|
|
}
|
|
|
|
if (false !== ($index = array_search('{DAV:}displayname', $requestedProperties))) {
|
|
|
|
$returnedProperties[200]['{DAV:}displayname'] = $node->getDisplayName();
|
|
|
|
}
|
|
|
|
}
|
|
if (false !== ($index = array_search('{DAV:}principal-collection-set', $requestedProperties))) {
|
|
|
|
unset($requestedProperties[$index]);
|
|
$val = $this->principalCollectionSet;
|
|
// Ensuring all collections end with a slash
|
|
foreach($val as $k=>$v) $val[$k] = $v . '/';
|
|
$returnedProperties[200]['{DAV:}principal-collection-set'] = new DAV\Property\HrefList($val);
|
|
|
|
}
|
|
if (false !== ($index = array_search('{DAV:}current-user-principal', $requestedProperties))) {
|
|
|
|
unset($requestedProperties[$index]);
|
|
if ($url = $this->getCurrentUserPrincipal()) {
|
|
$returnedProperties[200]['{DAV:}current-user-principal'] = new Property\Principal(Property\Principal::HREF, $url . '/');
|
|
} else {
|
|
$returnedProperties[200]['{DAV:}current-user-principal'] = new Property\Principal(Property\Principal::UNAUTHENTICATED);
|
|
}
|
|
|
|
}
|
|
if (false !== ($index = array_search('{DAV:}supported-privilege-set', $requestedProperties))) {
|
|
|
|
unset($requestedProperties[$index]);
|
|
$returnedProperties[200]['{DAV:}supported-privilege-set'] = new Property\SupportedPrivilegeSet($this->getSupportedPrivilegeSet($node));
|
|
|
|
}
|
|
if (false !== ($index = array_search('{DAV:}current-user-privilege-set', $requestedProperties))) {
|
|
|
|
if (!$this->checkPrivileges($uri, '{DAV:}read-current-user-privilege-set', self::R_PARENT, false)) {
|
|
$returnedProperties[403]['{DAV:}current-user-privilege-set'] = null;
|
|
unset($requestedProperties[$index]);
|
|
} else {
|
|
$val = $this->getCurrentUserPrivilegeSet($node);
|
|
if (!is_null($val)) {
|
|
unset($requestedProperties[$index]);
|
|
$returnedProperties[200]['{DAV:}current-user-privilege-set'] = new Property\CurrentUserPrivilegeSet($val);
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
/* The ACL property contains all the permissions */
|
|
if (false !== ($index = array_search('{DAV:}acl', $requestedProperties))) {
|
|
|
|
if (!$this->checkPrivileges($uri, '{DAV:}read-acl', self::R_PARENT, false)) {
|
|
|
|
unset($requestedProperties[$index]);
|
|
$returnedProperties[403]['{DAV:}acl'] = null;
|
|
|
|
} else {
|
|
|
|
$acl = $this->getACL($node);
|
|
if (!is_null($acl)) {
|
|
unset($requestedProperties[$index]);
|
|
$returnedProperties[200]['{DAV:}acl'] = new Property\Acl($this->getACL($node));
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/* The acl-restrictions property contains information on how privileges
|
|
* must behave.
|
|
*/
|
|
if (false !== ($index = array_search('{DAV:}acl-restrictions', $requestedProperties))) {
|
|
unset($requestedProperties[$index]);
|
|
$returnedProperties[200]['{DAV:}acl-restrictions'] = new Property\AclRestrictions();
|
|
}
|
|
|
|
/* Adding ACL properties */
|
|
if ($node instanceof IACL) {
|
|
|
|
if (false !== ($index = array_search('{DAV:}owner', $requestedProperties))) {
|
|
|
|
unset($requestedProperties[$index]);
|
|
$returnedProperties[200]['{DAV:}owner'] = new DAV\Property\Href($node->getOwner() . '/');
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
* This method intercepts PROPPATCH methods and make sure the
|
|
* group-member-set is updated correctly.
|
|
*
|
|
* @param array $propertyDelta
|
|
* @param array $result
|
|
* @param DAV\INode $node
|
|
* @return bool
|
|
*/
|
|
public function updateProperties(&$propertyDelta, &$result, DAV\INode $node) {
|
|
|
|
if (!array_key_exists('{DAV:}group-member-set', $propertyDelta))
|
|
return;
|
|
|
|
if (is_null($propertyDelta['{DAV:}group-member-set'])) {
|
|
$memberSet = array();
|
|
} elseif ($propertyDelta['{DAV:}group-member-set'] instanceof DAV\Property\HrefList) {
|
|
$memberSet = array_map(
|
|
array($this->server,'calculateUri'),
|
|
$propertyDelta['{DAV:}group-member-set']->getHrefs()
|
|
);
|
|
} else {
|
|
throw new DAV\Exception('The group-member-set property MUST be an instance of Sabre\DAV\Property\HrefList or null');
|
|
}
|
|
|
|
if (!($node instanceof IPrincipal)) {
|
|
$result[403]['{DAV:}group-member-set'] = null;
|
|
unset($propertyDelta['{DAV:}group-member-set']);
|
|
|
|
// Returning false will stop the updateProperties process
|
|
return false;
|
|
}
|
|
|
|
$node->setGroupMemberSet($memberSet);
|
|
// We must also clear our cache, just in case
|
|
|
|
$this->principalMembershipCache = array();
|
|
|
|
$result[200]['{DAV:}group-member-set'] = null;
|
|
unset($propertyDelta['{DAV:}group-member-set']);
|
|
|
|
}
|
|
|
|
/**
|
|
* This method handles HTTP REPORT requests
|
|
*
|
|
* @param string $reportName
|
|
* @param \DOMNode $dom
|
|
* @return bool
|
|
*/
|
|
public function report($reportName, $dom) {
|
|
|
|
switch($reportName) {
|
|
|
|
case '{DAV:}principal-property-search' :
|
|
$this->principalPropertySearchReport($dom);
|
|
return false;
|
|
case '{DAV:}principal-search-property-set' :
|
|
$this->principalSearchPropertySetReport($dom);
|
|
return false;
|
|
case '{DAV:}expand-property' :
|
|
$this->expandPropertyReport($dom);
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
* This event is triggered for any HTTP method that is not known by the
|
|
* webserver.
|
|
*
|
|
* @param string $method
|
|
* @param string $uri
|
|
* @return bool
|
|
*/
|
|
public function unknownMethod($method, $uri) {
|
|
|
|
if ($method!=='ACL') return;
|
|
|
|
$this->httpACL($uri);
|
|
return false;
|
|
|
|
}
|
|
|
|
/**
|
|
* This method is responsible for handling the 'ACL' event.
|
|
*
|
|
* @param string $uri
|
|
* @return void
|
|
*/
|
|
public function httpACL($uri) {
|
|
|
|
$body = $this->server->httpRequest->getBody(true);
|
|
$dom = DAV\XMLUtil::loadDOMDocument($body);
|
|
|
|
$newAcl =
|
|
Property\Acl::unserialize($dom->firstChild)
|
|
->getPrivileges();
|
|
|
|
// Normalizing urls
|
|
foreach($newAcl as $k=>$newAce) {
|
|
$newAcl[$k]['principal'] = $this->server->calculateUri($newAce['principal']);
|
|
}
|
|
|
|
$node = $this->server->tree->getNodeForPath($uri);
|
|
|
|
if (!($node instanceof IACL)) {
|
|
throw new DAV\Exception\MethodNotAllowed('This node does not support the ACL method');
|
|
}
|
|
|
|
$oldAcl = $this->getACL($node);
|
|
|
|
$supportedPrivileges = $this->getFlatPrivilegeSet($node);
|
|
|
|
/* Checking if protected principals from the existing principal set are
|
|
not overwritten. */
|
|
foreach($oldAcl as $oldAce) {
|
|
|
|
if (!isset($oldAce['protected']) || !$oldAce['protected']) continue;
|
|
|
|
$found = false;
|
|
foreach($newAcl as $newAce) {
|
|
if (
|
|
$newAce['privilege'] === $oldAce['privilege'] &&
|
|
$newAce['principal'] === $oldAce['principal'] &&
|
|
$newAce['protected']
|
|
)
|
|
$found = true;
|
|
}
|
|
|
|
if (!$found)
|
|
throw new Exception\AceConflict('This resource contained a protected {DAV:}ace, but this privilege did not occur in the ACL request');
|
|
|
|
}
|
|
|
|
foreach($newAcl as $newAce) {
|
|
|
|
// Do we recognize the privilege
|
|
if (!isset($supportedPrivileges[$newAce['privilege']])) {
|
|
throw new Exception\NotSupportedPrivilege('The privilege you specified (' . $newAce['privilege'] . ') is not recognized by this server');
|
|
}
|
|
|
|
if ($supportedPrivileges[$newAce['privilege']]['abstract']) {
|
|
throw new Exception\NoAbstract('The privilege you specified (' . $newAce['privilege'] . ') is an abstract privilege');
|
|
}
|
|
|
|
// Looking up the principal
|
|
try {
|
|
$principal = $this->server->tree->getNodeForPath($newAce['principal']);
|
|
} catch (DAV\Exception\NotFound $e) {
|
|
throw new Exception\NotRecognizedPrincipal('The specified principal (' . $newAce['principal'] . ') does not exist');
|
|
}
|
|
if (!($principal instanceof IPrincipal)) {
|
|
throw new Exception\NotRecognizedPrincipal('The specified uri (' . $newAce['principal'] . ') is not a principal');
|
|
}
|
|
|
|
}
|
|
$node->setACL($newAcl);
|
|
|
|
}
|
|
|
|
/* }}} */
|
|
|
|
/* Reports {{{ */
|
|
|
|
/**
|
|
* The expand-property report is defined in RFC3253 section 3-8.
|
|
*
|
|
* This report is very similar to a standard PROPFIND. The difference is
|
|
* that it has the additional ability to look at properties containing a
|
|
* {DAV:}href element, follow that property and grab additional elements
|
|
* there.
|
|
*
|
|
* Other rfc's, such as ACL rely on this report, so it made sense to put
|
|
* it in this plugin.
|
|
*
|
|
* @param \DOMElement $dom
|
|
* @return void
|
|
*/
|
|
protected function expandPropertyReport($dom) {
|
|
|
|
$requestedProperties = $this->parseExpandPropertyReportRequest($dom->firstChild->firstChild);
|
|
$depth = $this->server->getHTTPDepth(0);
|
|
$requestUri = $this->server->getRequestUri();
|
|
|
|
$result = $this->expandProperties($requestUri,$requestedProperties,$depth);
|
|
|
|
$dom = new \DOMDocument('1.0','utf-8');
|
|
$dom->formatOutput = true;
|
|
$multiStatus = $dom->createElement('d:multistatus');
|
|
$dom->appendChild($multiStatus);
|
|
|
|
// Adding in default namespaces
|
|
foreach($this->server->xmlNamespaces as $namespace=>$prefix) {
|
|
|
|
$multiStatus->setAttribute('xmlns:' . $prefix,$namespace);
|
|
|
|
}
|
|
|
|
foreach($result as $response) {
|
|
$response->serialize($this->server, $multiStatus);
|
|
}
|
|
|
|
$xml = $dom->saveXML();
|
|
$this->server->httpResponse->setHeader('Content-Type','application/xml; charset=utf-8');
|
|
$this->server->httpResponse->sendStatus(207);
|
|
$this->server->httpResponse->sendBody($xml);
|
|
|
|
}
|
|
|
|
/**
|
|
* This method is used by expandPropertyReport to parse
|
|
* out the entire HTTP request.
|
|
*
|
|
* @param \DOMElement $node
|
|
* @return array
|
|
*/
|
|
protected function parseExpandPropertyReportRequest($node) {
|
|
|
|
$requestedProperties = array();
|
|
do {
|
|
|
|
if (DAV\XMLUtil::toClarkNotation($node)!=='{DAV:}property') continue;
|
|
|
|
if ($node->firstChild) {
|
|
|
|
$children = $this->parseExpandPropertyReportRequest($node->firstChild);
|
|
|
|
} else {
|
|
|
|
$children = array();
|
|
|
|
}
|
|
|
|
$namespace = $node->getAttribute('namespace');
|
|
if (!$namespace) $namespace = 'DAV:';
|
|
|
|
$propName = '{'.$namespace.'}' . $node->getAttribute('name');
|
|
$requestedProperties[$propName] = $children;
|
|
|
|
} while ($node = $node->nextSibling);
|
|
|
|
return $requestedProperties;
|
|
|
|
}
|
|
|
|
/**
|
|
* This method expands all the properties and returns
|
|
* a list with property values
|
|
*
|
|
* @param array $path
|
|
* @param array $requestedProperties the list of required properties
|
|
* @param int $depth
|
|
* @return array
|
|
*/
|
|
protected function expandProperties($path, array $requestedProperties, $depth) {
|
|
|
|
$foundProperties = $this->server->getPropertiesForPath($path, array_keys($requestedProperties), $depth);
|
|
|
|
$result = array();
|
|
|
|
foreach($foundProperties as $node) {
|
|
|
|
foreach($requestedProperties as $propertyName=>$childRequestedProperties) {
|
|
|
|
// We're only traversing if sub-properties were requested
|
|
if(count($childRequestedProperties)===0) continue;
|
|
|
|
// We only have to do the expansion if the property was found
|
|
// and it contains an href element.
|
|
if (!array_key_exists($propertyName,$node[200])) continue;
|
|
|
|
if ($node[200][$propertyName] instanceof DAV\Property\IHref) {
|
|
$hrefs = array($node[200][$propertyName]->getHref());
|
|
} elseif ($node[200][$propertyName] instanceof DAV\Property\HrefList) {
|
|
$hrefs = $node[200][$propertyName]->getHrefs();
|
|
}
|
|
|
|
$childProps = array();
|
|
foreach($hrefs as $href) {
|
|
$childProps = array_merge($childProps, $this->expandProperties($href, $childRequestedProperties, 0));
|
|
}
|
|
$node[200][$propertyName] = new DAV\Property\ResponseList($childProps);
|
|
|
|
}
|
|
$result[] = new DAV\Property\Response($node['href'], $node);
|
|
|
|
}
|
|
|
|
return $result;
|
|
|
|
}
|
|
|
|
/**
|
|
* principalSearchPropertySetReport
|
|
*
|
|
* This method responsible for handing the
|
|
* {DAV:}principal-search-property-set report. This report returns a list
|
|
* of properties the client may search on, using the
|
|
* {DAV:}principal-property-search report.
|
|
*
|
|
* @param \DOMDocument $dom
|
|
* @return void
|
|
*/
|
|
protected function principalSearchPropertySetReport(\DOMDocument $dom) {
|
|
|
|
$httpDepth = $this->server->getHTTPDepth(0);
|
|
if ($httpDepth!==0) {
|
|
throw new DAV\Exception\BadRequest('This report is only defined when Depth: 0');
|
|
}
|
|
|
|
if ($dom->firstChild->hasChildNodes())
|
|
throw new DAV\Exception\BadRequest('The principal-search-property-set report element is not allowed to have child elements');
|
|
|
|
$dom = new \DOMDocument('1.0','utf-8');
|
|
$dom->formatOutput = true;
|
|
$root = $dom->createElement('d:principal-search-property-set');
|
|
$dom->appendChild($root);
|
|
// Adding in default namespaces
|
|
foreach($this->server->xmlNamespaces as $namespace=>$prefix) {
|
|
|
|
$root->setAttribute('xmlns:' . $prefix,$namespace);
|
|
|
|
}
|
|
|
|
$nsList = $this->server->xmlNamespaces;
|
|
|
|
foreach($this->principalSearchPropertySet as $propertyName=>$description) {
|
|
|
|
$psp = $dom->createElement('d:principal-search-property');
|
|
$root->appendChild($psp);
|
|
|
|
$prop = $dom->createElement('d:prop');
|
|
$psp->appendChild($prop);
|
|
|
|
$propName = null;
|
|
preg_match('/^{([^}]*)}(.*)$/',$propertyName,$propName);
|
|
|
|
$currentProperty = $dom->createElement($nsList[$propName[1]] . ':' . $propName[2]);
|
|
$prop->appendChild($currentProperty);
|
|
|
|
$descriptionElem = $dom->createElement('d:description');
|
|
$descriptionElem->setAttribute('xml:lang','en');
|
|
$descriptionElem->appendChild($dom->createTextNode($description));
|
|
$psp->appendChild($descriptionElem);
|
|
|
|
|
|
}
|
|
|
|
$this->server->httpResponse->setHeader('Content-Type','application/xml; charset=utf-8');
|
|
$this->server->httpResponse->sendStatus(200);
|
|
$this->server->httpResponse->sendBody($dom->saveXML());
|
|
|
|
}
|
|
|
|
/**
|
|
* principalPropertySearchReport
|
|
*
|
|
* This method is responsible for handing the
|
|
* {DAV:}principal-property-search report. This report can be used for
|
|
* clients to search for groups of principals, based on the value of one
|
|
* or more properties.
|
|
*
|
|
* @param \DOMDocument $dom
|
|
* @return void
|
|
*/
|
|
protected function principalPropertySearchReport(\DOMDocument $dom) {
|
|
|
|
list($searchProperties, $requestedProperties, $applyToPrincipalCollectionSet) = $this->parsePrincipalPropertySearchReportRequest($dom);
|
|
|
|
$uri = null;
|
|
if (!$applyToPrincipalCollectionSet) {
|
|
$uri = $this->server->getRequestUri();
|
|
}
|
|
$result = $this->principalSearch($searchProperties, $requestedProperties, $uri);
|
|
|
|
$prefer = $this->server->getHTTPPRefer();
|
|
|
|
$this->server->httpResponse->sendStatus(207);
|
|
$this->server->httpResponse->setHeader('Content-Type','application/xml; charset=utf-8');
|
|
$this->server->httpResponse->setHeader('Vary','Brief,Prefer');
|
|
$this->server->httpResponse->sendBody($this->server->generateMultiStatus($result, $prefer['return-minimal']));
|
|
|
|
}
|
|
|
|
/**
|
|
* parsePrincipalPropertySearchReportRequest
|
|
*
|
|
* This method parses the request body from a
|
|
* {DAV:}principal-property-search report.
|
|
*
|
|
* This method returns an array with two elements:
|
|
* 1. an array with properties to search on, and their values
|
|
* 2. a list of propertyvalues that should be returned for the request.
|
|
*
|
|
* @param \DOMDocument $dom
|
|
* @return array
|
|
*/
|
|
protected function parsePrincipalPropertySearchReportRequest($dom) {
|
|
|
|
$httpDepth = $this->server->getHTTPDepth(0);
|
|
if ($httpDepth!==0) {
|
|
throw new DAV\Exception\BadRequest('This report is only defined when Depth: 0');
|
|
}
|
|
|
|
$searchProperties = array();
|
|
|
|
$applyToPrincipalCollectionSet = false;
|
|
|
|
// Parsing the search request
|
|
foreach($dom->firstChild->childNodes as $searchNode) {
|
|
|
|
if (DAV\XMLUtil::toClarkNotation($searchNode) == '{DAV:}apply-to-principal-collection-set') {
|
|
$applyToPrincipalCollectionSet = true;
|
|
}
|
|
|
|
if (DAV\XMLUtil::toClarkNotation($searchNode)!=='{DAV:}property-search')
|
|
continue;
|
|
|
|
$propertyName = null;
|
|
$propertyValue = null;
|
|
|
|
foreach($searchNode->childNodes as $childNode) {
|
|
|
|
switch(DAV\XMLUtil::toClarkNotation($childNode)) {
|
|
|
|
case '{DAV:}prop' :
|
|
$property = DAV\XMLUtil::parseProperties($searchNode);
|
|
reset($property);
|
|
$propertyName = key($property);
|
|
break;
|
|
|
|
case '{DAV:}match' :
|
|
$propertyValue = $childNode->textContent;
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
if (is_null($propertyName) || is_null($propertyValue))
|
|
throw new DAV\Exception\BadRequest('Invalid search request. propertyname: ' . $propertyName . '. propertvvalue: ' . $propertyValue);
|
|
|
|
$searchProperties[$propertyName] = $propertyValue;
|
|
|
|
}
|
|
|
|
return array($searchProperties, array_keys(DAV\XMLUtil::parseProperties($dom->firstChild)), $applyToPrincipalCollectionSet);
|
|
|
|
}
|
|
|
|
|
|
/* }}} */
|
|
|
|
}
|