Wed, 02 Nov 2022 19:10:10 +0100
implement ACL check for proppatch requests
src/server/webdav/operation.c | file | annotate | diff | comparison | revisions |
--- a/src/server/webdav/operation.c Wed Nov 02 18:38:40 2022 +0100 +++ b/src/server/webdav/operation.c Wed Nov 02 19:10:10 2022 +0100 @@ -282,6 +282,36 @@ return REQ_ABORTED; } + // check ACL + if(acl_evaluate(op->sn, op->rq, ACL_WRITE_XATTR)) { + // ACL check failed, either unauthorized or forbidden + // acl_evaluate() sets the http status code and may add + // response headers for authentication + if(op->rq->status_num == PROTOCOL_UNAUTHORIZED) { + return REQ_ABORTED; // return here to send an authenticate response + } + + // send multistatus response with status code 403 for each property + log_ereport(LOG_VERBOSE, "webdav-proppatch: access forbidden"); + int ret = REQ_PROCEED; + WebdavPList *plist = op->proppatch->set; + for(int i=0;i<2;i++) { + while(plist) { + if(resource->addproperty(resource, plist->property, PROTOCOL_FORBIDDEN)) { + ret = REQ_ABORTED; + break; // OOM + } + plist = plist->next; + } + plist = op->proppatch->remove; + } + + if(resource->close(resource)) { + ret = REQ_ABORTED; // OOM + } + return ret; + } + VFSContext *ctx = NULL; VFSFile *file = NULL;