PROPFIND rights checking

Return 404 and 403 only when it's appropriate. Don't ask users for passwords if an item just doesn't exist (e.g. mistyped URL).
This commit is contained in:
Unrud 2016-08-11 02:10:09 +02:00 committed by Unrud
parent 5c2075cb6c
commit 4eb04e3526

View File

@ -28,6 +28,7 @@ should have been included in this package.
import base64 import base64
import contextlib import contextlib
import itertools
import os import os
import posixpath import posixpath
import pprint import pprint
@ -521,9 +522,15 @@ class Application:
with self._lock_collection("r", user): with self._lock_collection("r", user):
items = self.Collection.discover( items = self.Collection.discover(
path, environ.get("HTTP_DEPTH", "0")) path, environ.get("HTTP_DEPTH", "0"))
# take root item for rights checking
item = next(items, None)
if not self._access(user, path, "r", item):
return NOT_ALLOWED
if not item:
return client.NOT_FOUND, {}, None
# put item back
items = itertools.chain([item], items)
read_items, write_items = self.collect_allowed_items(items, user) read_items, write_items = self.collect_allowed_items(items, user)
if not read_items and not write_items:
return (client.NOT_FOUND, {}, None) if user else NOT_ALLOWED
headers = {"DAV": DAV_HEADERS, "Content-Type": "text/xml"} headers = {"DAV": DAV_HEADERS, "Content-Type": "text/xml"}
answer = xmlutils.propfind( answer = xmlutils.propfind(
path, content, read_items, write_items, user) path, content, read_items, write_items, user)