implement ACL check for proppatch requests

Wed, 02 Nov 2022 19:10:10 +0100

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Wed, 02 Nov 2022 19:10:10 +0100
changeset 413
6afaebf003ea
parent 412
a4e2ce073c0f
child 414
99a34860c105

implement ACL check for proppatch requests

src/server/webdav/operation.c file | annotate | diff | comparison | revisions
--- a/src/server/webdav/operation.c	Wed Nov 02 18:38:40 2022 +0100
+++ b/src/server/webdav/operation.c	Wed Nov 02 19:10:10 2022 +0100
@@ -282,6 +282,36 @@
         return REQ_ABORTED;
     }
     
+    // check ACL
+    if(acl_evaluate(op->sn, op->rq, ACL_WRITE_XATTR)) {
+        // ACL check failed, either unauthorized or forbidden
+        // acl_evaluate() sets the http status code and may add
+        // response headers for authentication
+        if(op->rq->status_num == PROTOCOL_UNAUTHORIZED) {
+            return REQ_ABORTED; // return here to send an authenticate response
+        }
+        
+        // send multistatus response with status code 403 for each property
+        log_ereport(LOG_VERBOSE, "webdav-proppatch: access forbidden");
+        int ret = REQ_PROCEED;
+        WebdavPList *plist = op->proppatch->set;
+        for(int i=0;i<2;i++) {
+            while(plist) {
+                if(resource->addproperty(resource, plist->property, PROTOCOL_FORBIDDEN)) {
+                    ret = REQ_ABORTED;
+                    break; // OOM
+                }
+                plist = plist->next;
+            }
+            plist = op->proppatch->remove;
+        }
+        
+        if(resource->close(resource)) {
+            ret = REQ_ABORTED; // OOM
+        }
+        return ret;
+    }
+    
     VFSContext *ctx = NULL;
     VFSFile *file = NULL;
     

mercurial