DavAclPlugin.php 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  6. * @author Lukas Reschke <lukas@statuscode.ch>
  7. * @author Morris Jobke <hey@morrisjobke.de>
  8. * @author Robin Appelman <robin@icewind.nl>
  9. * @author Roeland Jago Douma <roeland@famdouma.nl>
  10. * @author Thomas Müller <thomas.mueller@tmit.eu>
  11. * @author Richard Steinmetz <richard@steinmetz.cloud>
  12. *
  13. * @license AGPL-3.0
  14. *
  15. * This code is free software: you can redistribute it and/or modify
  16. * it under the terms of the GNU Affero General Public License, version 3,
  17. * as published by the Free Software Foundation.
  18. *
  19. * This program is distributed in the hope that it will be useful,
  20. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  21. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  22. * GNU Affero General Public License for more details.
  23. *
  24. * You should have received a copy of the GNU Affero General Public License, version 3,
  25. * along with this program. If not, see <http://www.gnu.org/licenses/>
  26. *
  27. */
  28. namespace OCA\DAV\Connector\Sabre;
  29. use OCA\DAV\CalDAV\CachedSubscription;
  30. use OCA\DAV\CalDAV\Calendar;
  31. use OCA\DAV\CardDAV\AddressBook;
  32. use Sabre\CalDAV\Principal\User;
  33. use Sabre\DAV\Exception\Forbidden;
  34. use Sabre\DAV\Exception\NotFound;
  35. use Sabre\DAV\INode;
  36. use Sabre\DAV\PropFind;
  37. use Sabre\HTTP\RequestInterface;
  38. use Sabre\HTTP\ResponseInterface;
  39. /**
  40. * Class DavAclPlugin is a wrapper around \Sabre\DAVACL\Plugin that returns 404
  41. * responses in case the resource to a response has been forbidden instead of
  42. * a 403. This is used to prevent enumeration of valid resources.
  43. *
  44. * @see https://github.com/owncloud/core/issues/22578
  45. * @package OCA\DAV\Connector\Sabre
  46. */
  47. class DavAclPlugin extends \Sabre\DAVACL\Plugin {
  48. public function __construct() {
  49. $this->hideNodesFromListings = true;
  50. $this->allowUnauthenticatedAccess = false;
  51. }
  52. public function checkPrivileges($uri, $privileges, $recursion = self::R_PARENT, $throwExceptions = true) {
  53. $access = parent::checkPrivileges($uri, $privileges, $recursion, false);
  54. if ($access === false && $throwExceptions) {
  55. /** @var INode $node */
  56. $node = $this->server->tree->getNodeForPath($uri);
  57. switch (get_class($node)) {
  58. case AddressBook::class:
  59. $type = 'Addressbook';
  60. break;
  61. case Calendar::class:
  62. case CachedSubscription::class:
  63. $type = 'Calendar';
  64. break;
  65. default:
  66. $type = 'Node';
  67. break;
  68. }
  69. if ($this->getCurrentUserPrincipal() === $node->getOwner()) {
  70. throw new Forbidden("Access denied");
  71. } else {
  72. throw new NotFound(
  73. sprintf(
  74. "%s with name '%s' could not be found",
  75. $type,
  76. $node->getName()
  77. )
  78. );
  79. }
  80. }
  81. return $access;
  82. }
  83. public function propFind(PropFind $propFind, INode $node) {
  84. if ($node instanceof Node) {
  85. // files don't use dav acls
  86. return;
  87. }
  88. // If the node is neither readable nor writable then fail unless its of
  89. // the standard user-principal
  90. if (!($node instanceof User)) {
  91. $path = $propFind->getPath();
  92. $readPermissions = $this->checkPrivileges($path, '{DAV:}read', self::R_PARENT, false);
  93. $writePermissions = $this->checkPrivileges($path, '{DAV:}write', self::R_PARENT, false);
  94. if ($readPermissions === false && $writePermissions === false) {
  95. $this->checkPrivileges($path, '{DAV:}read', self::R_PARENT, true);
  96. $this->checkPrivileges($path, '{DAV:}write', self::R_PARENT, true);
  97. }
  98. }
  99. return parent::propFind($propFind, $node);
  100. }
  101. public function beforeMethod(RequestInterface $request, ResponseInterface $response) {
  102. $path = $request->getPath();
  103. // prevent the plugin from causing an unneeded overhead for file requests
  104. if (str_starts_with($path, 'files/')) {
  105. return;
  106. }
  107. parent::beforeMethod($request, $response);
  108. if (!str_starts_with($path, 'addressbooks/') && !str_starts_with($path, 'calendars/')) {
  109. return;
  110. }
  111. [$parentName] = \Sabre\Uri\split($path);
  112. if ($request->getMethod() === 'REPORT') {
  113. // is calendars/users/bob or addressbooks/users/bob readable?
  114. $this->checkPrivileges($parentName, '{DAV:}read');
  115. } elseif ($request->getMethod() === 'MKCALENDAR' || $request->getMethod() === 'MKCOL') {
  116. // is calendars/users/bob or addressbooks/users/bob writeable?
  117. $this->checkPrivileges($parentName, '{DAV:}write');
  118. }
  119. }
  120. }