PublishPlugin.php 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-License-Identifier: AGPL-3.0-or-later
  5. */
  6. namespace OCA\DAV\CalDAV\Publishing;
  7. use OCA\DAV\CalDAV\Calendar;
  8. use OCA\DAV\CalDAV\Publishing\Xml\Publisher;
  9. use OCP\AppFramework\Http;
  10. use OCP\IConfig;
  11. use OCP\IURLGenerator;
  12. use Sabre\CalDAV\Xml\Property\AllowedSharingModes;
  13. use Sabre\DAV\Exception\NotFound;
  14. use Sabre\DAV\INode;
  15. use Sabre\DAV\PropFind;
  16. use Sabre\DAV\Server;
  17. use Sabre\DAV\ServerPlugin;
  18. use Sabre\HTTP\RequestInterface;
  19. use Sabre\HTTP\ResponseInterface;
  20. class PublishPlugin extends ServerPlugin {
  21. public const NS_CALENDARSERVER = 'http://calendarserver.org/ns/';
  22. /**
  23. * Reference to SabreDAV server object.
  24. *
  25. * @var \Sabre\DAV\Server
  26. */
  27. protected $server;
  28. /**
  29. * PublishPlugin constructor.
  30. *
  31. * @param IConfig $config
  32. * @param IURLGenerator $urlGenerator
  33. */
  34. public function __construct(
  35. /**
  36. * Config instance to get instance secret.
  37. */
  38. protected IConfig $config,
  39. /**
  40. * URL Generator for absolute URLs.
  41. */
  42. protected IURLGenerator $urlGenerator,
  43. ) {
  44. }
  45. /**
  46. * This method should return a list of server-features.
  47. *
  48. * This is for example 'versioning' and is added to the DAV: header
  49. * in an OPTIONS response.
  50. *
  51. * @return string[]
  52. */
  53. public function getFeatures() {
  54. // May have to be changed to be detected
  55. return ['oc-calendar-publishing', 'calendarserver-sharing'];
  56. }
  57. /**
  58. * Returns a plugin name.
  59. *
  60. * Using this name other plugins will be able to access other plugins
  61. * using Sabre\DAV\Server::getPlugin
  62. *
  63. * @return string
  64. */
  65. public function getPluginName() {
  66. return 'oc-calendar-publishing';
  67. }
  68. /**
  69. * This initializes the plugin.
  70. *
  71. * This function is called by Sabre\DAV\Server, after
  72. * addPlugin is called.
  73. *
  74. * This method should set up the required event subscriptions.
  75. *
  76. * @param Server $server
  77. */
  78. public function initialize(Server $server) {
  79. $this->server = $server;
  80. $this->server->on('method:POST', [$this, 'httpPost']);
  81. $this->server->on('propFind', [$this, 'propFind']);
  82. }
  83. public function propFind(PropFind $propFind, INode $node) {
  84. if ($node instanceof Calendar) {
  85. $propFind->handle('{' . self::NS_CALENDARSERVER . '}publish-url', function () use ($node) {
  86. if ($node->getPublishStatus()) {
  87. // We return the publish-url only if the calendar is published.
  88. $token = $node->getPublishStatus();
  89. $publishUrl = $this->urlGenerator->getAbsoluteURL($this->server->getBaseUri() . 'public-calendars/') . $token;
  90. return new Publisher($publishUrl, true);
  91. }
  92. });
  93. $propFind->handle('{' . self::NS_CALENDARSERVER . '}allowed-sharing-modes', function () use ($node) {
  94. $canShare = (!$node->isSubscription() && $node->canWrite());
  95. $canPublish = (!$node->isSubscription() && $node->canWrite());
  96. if ($this->config->getAppValue('dav', 'limitAddressBookAndCalendarSharingToOwner', 'no') === 'yes') {
  97. $canShare = $canShare && ($node->getOwner() === $node->getPrincipalURI());
  98. $canPublish = $canPublish && ($node->getOwner() === $node->getPrincipalURI());
  99. }
  100. return new AllowedSharingModes($canShare, $canPublish);
  101. });
  102. }
  103. }
  104. /**
  105. * We intercept this to handle POST requests on calendars.
  106. *
  107. * @param RequestInterface $request
  108. * @param ResponseInterface $response
  109. *
  110. * @return void|bool
  111. */
  112. public function httpPost(RequestInterface $request, ResponseInterface $response) {
  113. $path = $request->getPath();
  114. // Only handling xml
  115. $contentType = (string)$request->getHeader('Content-Type');
  116. if (!str_contains($contentType, 'application/xml') && !str_contains($contentType, 'text/xml')) {
  117. return;
  118. }
  119. // Making sure the node exists
  120. try {
  121. $node = $this->server->tree->getNodeForPath($path);
  122. } catch (NotFound $e) {
  123. return;
  124. }
  125. $requestBody = $request->getBodyAsString();
  126. // If this request handler could not deal with this POST request, it
  127. // will return 'null' and other plugins get a chance to handle the
  128. // request.
  129. //
  130. // However, we already requested the full body. This is a problem,
  131. // because a body can only be read once. This is why we preemptively
  132. // re-populated the request body with the existing data.
  133. $request->setBody($requestBody);
  134. $this->server->xml->parse($requestBody, $request->getUrl(), $documentType);
  135. switch ($documentType) {
  136. case '{' . self::NS_CALENDARSERVER . '}publish-calendar':
  137. // We can only deal with IShareableCalendar objects
  138. if (!$node instanceof Calendar) {
  139. return;
  140. }
  141. $this->server->transactionType = 'post-publish-calendar';
  142. // Getting ACL info
  143. $acl = $this->server->getPlugin('acl');
  144. // If there's no ACL support, we allow everything
  145. if ($acl) {
  146. /** @var \Sabre\DAVACL\Plugin $acl */
  147. $acl->checkPrivileges($path, '{DAV:}write');
  148. $limitSharingToOwner = $this->config->getAppValue('dav', 'limitAddressBookAndCalendarSharingToOwner', 'no') === 'yes';
  149. $isOwner = $acl->getCurrentUserPrincipal() === $node->getOwner();
  150. if ($limitSharingToOwner && !$isOwner) {
  151. return;
  152. }
  153. }
  154. $node->setPublishStatus(true);
  155. // iCloud sends back the 202, so we will too.
  156. $response->setStatus(Http::STATUS_ACCEPTED);
  157. // Adding this because sending a response body may cause issues,
  158. // and I wanted some type of indicator the response was handled.
  159. $response->setHeader('X-Sabre-Status', 'everything-went-well');
  160. // Breaking the event chain
  161. return false;
  162. case '{' . self::NS_CALENDARSERVER . '}unpublish-calendar':
  163. // We can only deal with IShareableCalendar objects
  164. if (!$node instanceof Calendar) {
  165. return;
  166. }
  167. $this->server->transactionType = 'post-unpublish-calendar';
  168. // Getting ACL info
  169. $acl = $this->server->getPlugin('acl');
  170. // If there's no ACL support, we allow everything
  171. if ($acl) {
  172. /** @var \Sabre\DAVACL\Plugin $acl */
  173. $acl->checkPrivileges($path, '{DAV:}write');
  174. $limitSharingToOwner = $this->config->getAppValue('dav', 'limitAddressBookAndCalendarSharingToOwner', 'no') === 'yes';
  175. $isOwner = $acl->getCurrentUserPrincipal() === $node->getOwner();
  176. if ($limitSharingToOwner && !$isOwner) {
  177. return;
  178. }
  179. }
  180. $node->setPublishStatus(false);
  181. $response->setStatus(Http::STATUS_OK);
  182. // Adding this because sending a response body may cause issues,
  183. // and I wanted some type of indicator the response was handled.
  184. $response->setHeader('X-Sabre-Status', 'everything-went-well');
  185. // Breaking the event chain
  186. return false;
  187. }
  188. }
  189. }