PROPFIND rights checking
Return 404 and 403 only when it's appropriate. Don't ask users for passwords if an item just doesn't exist (e.g. mistyped URL).
This commit is contained in:
parent
5c2075cb6c
commit
4eb04e3526
@ -28,6 +28,7 @@ should have been included in this package.
|
||||
|
||||
import base64
|
||||
import contextlib
|
||||
import itertools
|
||||
import os
|
||||
import posixpath
|
||||
import pprint
|
||||
@ -521,9 +522,15 @@ class Application:
|
||||
with self._lock_collection("r", user):
|
||||
items = self.Collection.discover(
|
||||
path, environ.get("HTTP_DEPTH", "0"))
|
||||
# take root item for rights checking
|
||||
item = next(items, None)
|
||||
if not self._access(user, path, "r", item):
|
||||
return NOT_ALLOWED
|
||||
if not item:
|
||||
return client.NOT_FOUND, {}, None
|
||||
# put item back
|
||||
items = itertools.chain([item], items)
|
||||
read_items, write_items = self.collect_allowed_items(items, user)
|
||||
if not read_items and not write_items:
|
||||
return (client.NOT_FOUND, {}, None) if user else NOT_ALLOWED
|
||||
headers = {"DAV": DAV_HEADERS, "Content-Type": "text/xml"}
|
||||
answer = xmlutils.propfind(
|
||||
path, content, read_items, write_items, user)
|
||||
|
Loading…
Reference in New Issue
Block a user