From 4eb04e3526f327de419539878008a3492f2fa65e Mon Sep 17 00:00:00 2001 From: Unrud Date: Thu, 11 Aug 2016 02:10:09 +0200 Subject: [PATCH] PROPFIND rights checking Return 404 and 403 only when it's appropriate. Don't ask users for passwords if an item just doesn't exist (e.g. mistyped URL). --- radicale/__init__.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/radicale/__init__.py b/radicale/__init__.py index 56904e9..ca16ded 100644 --- a/radicale/__init__.py +++ b/radicale/__init__.py @@ -28,6 +28,7 @@ should have been included in this package. import base64 import contextlib +import itertools import os import posixpath import pprint @@ -521,9 +522,15 @@ class Application: with self._lock_collection("r", user): items = self.Collection.discover( path, environ.get("HTTP_DEPTH", "0")) + # take root item for rights checking + item = next(items, None) + if not self._access(user, path, "r", item): + return NOT_ALLOWED + if not item: + return client.NOT_FOUND, {}, None + # put item back + items = itertools.chain([item], items) read_items, write_items = self.collect_allowed_items(items, user) - if not read_items and not write_items: - return (client.NOT_FOUND, {}, None) if user else NOT_ALLOWED headers = {"DAV": DAV_HEADERS, "Content-Type": "text/xml"} answer = xmlutils.propfind( path, content, read_items, write_items, user)