Fix permissions for REPORT request

Only read access is required.
This commit is contained in:
Unrud 2017-03-13 08:22:14 +01:00 committed by GitHub
parent c1f0e66232
commit 8a98f4861d

View File

@ -677,12 +677,12 @@ class Application:
def do_REPORT(self, environ, base_prefix, path, user):
"""Manage REPORT request."""
if not self._access(user, path, "w"):
if not self._access(user, path, "r"):
return NOT_ALLOWED
content = self._read_content(environ)
with self.Collection.acquire_lock("r", user):
item = next(self.Collection.discover(path), None)
if not self._access(user, path, "w", item):
if not self._access(user, path, "r", item):
return NOT_ALLOWED
if not item:
return NOT_FOUND